EXTERNAL PRIVACY POLICY

Introduction

This is the privacy policy of Bakkafrost Scotland Limited (SC107275) ("BFS", "Bakkafrost Scotland", "we", "our", "us"). BFS is part of the P/F Bakkafrost Group. When we collect and use your Personal Data in the ways outlined in this privacy policy, we are the data controller for the purposes of Data Protection Legislation and are responsible for this website.

 

It is important that you read and retain this privacy policy, together with any other privacy policy we may provide on specific occasions when we are collecting or Processing Personal Data about you. This privacy policy does not form part of any contract. If you have any questions about this privacy policy, including any requests to exercise your legal rights please contact us using the information in the contact details section.

The General Section of the privacy policy applies to all types of individuals that Bakkafrost Scotland interacts with*. There are then specific section(s) that will or will not apply to you depending on how you interact with us. Please read the relevant Sections that apply to you.

 

1. General Section: For anyone that interacts with us*.  

2. Customer Section: If you are an existing, previous or potential customer or client of ours or contact.

3. Supplier Section: If you have provided or are providing goods or services to us; or act as a sub-contractor on our behalf for services or goods which benefit our customers or clients.

4. Stakeholder Section: If we work with you on projects.

5. Website Section: If you visit or use one or more of our websites.

6. Marketing Section: If you receive marketing communications or updates from us.

7. Enquiries and Feedback Section: If you make any enquiries or provide feedback to us (including customer reviews).

8. Visitor Section: If you visit our premises or sites.

9. Community Fund Section: If your organisation applies to or is involved in our community fund.

*This privacy policy does not apply to you if you are an employee or job applicant, and we will provide you with a separate privacy policy. This privacy policy does not apply to you if your personal data is collected by our vehicle technologies, and you can access that privacy policy by following the QR code or link on our vehicle stickers.

Purpose of this privacy policy

The purpose of making you are aware of how and why we are using your Personal Data and outline your rights are under the Data Protection Legislation. We do not knowingly collect data relating to minors.

 

Contact details

If you have any questions about this privacy policy or about the use of your Personal Data or you want to exercise your privacy rights, please email communications@bakkafrost.com or write to the Data Protection Lead, 28 Drumsheugh Gardens, Edinburgh, Scotland, EH3 7RN. 0131 718 8400

 

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. From time to time, we may change this privacy policy.

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us, for example a new address or email address. We cannot be held responsible for any errors in your Personal Data unless you have notified us of a relevant change. 

Key terms 

• Data Protection Legislation: means, the Data Protection Act 2018 (DPA 2018), the Data (Use and Access) Act 2025, the UK GDPR as referred to in section 3(10) (as supplemented by section 205(4)) of the DPA 2018; and any applicable legislation adopted by the UK.

• Personal Data is any information identifying you as a specific individual. It can identify you directly from that information alone or indirectly in combination with other information we hold or can reasonably access. As well as identifying you as a specific individual, to be Personal Data, the data must also relate to you. Truly anonymous information is not Personal Data.

• Processing is almost anything that can be done with Personal Data, including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.

• Special Category Data means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

• Criminal Offence Data means Personal Data relating to the alleged commission of offences by you; or proceedings for an offence committed or alleged to have been committed by you or the disposal of such proceedings, including sentencing.

• A Data Controller is someone who decides why Personal Data is to be collected and how it will be used and treated.

• Information Commissioner's Office (ICO) or Information Commission is the UK supervisory authority for data protection issues.

 

1. GENERAL SECTION

Types of Personal Data we collect about you

If you are interacting with us as a corporate body, then in most instances the data we collect from you will not be Personal Data and instead is data related to a business. If you are interacting with us as a consumer, a sole trader, or an unincorporated organisation, or you are an individual member on behalf of a corporate body, we may collect some Personal Data about you during the relationship or Contract we have, depending on how you interact with us.

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

·       Accreditation Data may include job title, details of experience, skills and/or qualifications or accreditations which is inferred and/or provided as part of our Contract with you or on behalf of a corporate body.

·       Identity Data includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth, pronouns and gender, business name, username or title (which may disclose marital status), similar identifier.

·       Contact Data includes billing address, business address, postal address, delivery address, email address and telephone numbers.

·       Communications Data includes records of correspondence and communications with you.

·       Diligence Data includes any diligence we require to conduct on you and/or your business to understand whether you are able to provide the services and/or goods we or our client requires, or to protect us against fraud, financial loss, money laundering or other crimes.

·       Feedback Data includes records and detail regarding any enquiries, feedback or complaints you make (including customer reviews on our website shop).

·       Financial Data includes bank account and payment card details.

·       Grant Application Data means any information provided in an application form for our community fund.

·       Health Data means any information collected about your health in our forms before you enter our premises or sites where our fish or other food products are located or processed.

·       Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us or we have purchased from you.

·       Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access our website.

·       Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.

·       Usage Data includes information about how you interact with and use our websites, products and services.

·       Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

·       Premises Data includes information that we may collect about you if you visit our premises, such as CCTV footage and any information logged in our visitors book, where relevant. This may include Health Data.

 

Legal basis for collecting and using your Personal Data

·       Contract: We may use your Personal Data where it is necessary for the performance of a contract we have with you (e.g., customer contract, services contract), or because you have asked us to take specific steps before entering into a contract.

·       Legitimate Interests: We may use your Personal Data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we Process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

·       Legal Obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.

·       Vital Interests: the use of your Personal Data is necessary to protect your vital interests e.g your life.

·       Consent: We rely on consent only where we have obtained your active agreement to use your Personal Data for a specified purpose.

 

Additional Condition

To Process your Special Category Data and / or Criminal Offence Data, in addition to the Legal Basis, we must apply one of the following additional conditions:

·       Consent: you give your explicit consent for us to Process your Personal Data for that purpose

·       Vital Interests: your Personal Data is necessary to protect your vital interests e.g., your life.

·       Manifestly Public: relates to Personal Data which are manifestly made public by you.

·       Legal Claims: necessary for the establishment, exercise or defence of legal claims.

·       Substantial Public Interest: necessary for substantial public interest, on the basis of law.

 

Automated Decision Making

Automated decision-making takes place when an electronic system uses Personal Data to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Your Data Protection Rights

·       Right of access: You have the right to ask us for copies of your Personal Data. There are some exemptions, which means you may not always receive all the information we Process.

·       Right to rectification: You have the right to request correction of the Personal Data that we hold about you. We may need to verify the accuracy of the new data you provide.

·       Right to erasure: You have the right to request the erasing of personal information in certain circumstances, including; where there is no good reason for us continuing to process it, where you have successfully exercised your right to object to Processing in the circumstance that your data was used unlawfully or where we are required to erase Personal Data to comply with law.

·       Right to object to processing: You have the right to object to Processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to Processing, if you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are Processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to Process your information which override your rights and freedoms.

·       Right to restriction of processing: You have the right to ask us to restrict or suspend the Processing of your information in certain circumstances; (a) if you want us to establish the data's accuracy; (b) where the use data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify grounds of use.

·       Right to data portability: This only applies to information you have given us and only applies based on your consent or agreeing a business contract and the processing of data is automated. You have the right to ask that we transfer data you gave us from one organisation to another or give it to you.

·       Right to withdraw Consent at any time where we are relying on Consent to Process data: This will not affect the lawfulness of any data processed before you withdraw Consent.

 

You will not usually have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may request specific information from you to confirm your identity and ensure your right to access your Personal Data. This is a security measure.

Your right to complain

We work to high standards when it comes to Processing your Personal Data. If you have queries or concerns, please contact us. If you remain dissatisfied, you can make a complaint to the:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113

Email: casework@ico.org.uk

https://ico.org.uk/global/contact-us/

 

How is your Personal Data collected?

We use different methods to collect Personal Data from and about you including through:

 

Direct interactions. You may give us your Personal Data directly by filling in our forms (online and paper copies), submitting information to our website live chat-bots or by corresponding with us or by speaking with us in person.

 

Indirect interactions. We will also receive Personal Data about you indirectly from our systems (e.g. CCTV), from publicly available sources (e.g, search engines and social media) and databases, and from third parties (including third parties who purchase you a gift voucher).

 

If you fail to provide Personal Data

When we rely on the Legal Basis of Contract and you fail to provide certain information when requested, we may not be able to perform the Contract we have entered into with you (such as delivery goods we agreed to sell to you or paying you for goods or services you have delivered to us).

 

When we rely on the Legal Basis of Legal Obligation, and you fail to provide certain information when requested we may be prevented from complying with our legal obligations (such as to ensure the health and safety).

 

In each of these instances, we may be required to suspend and/or terminate the contract or relationship that we have with you or to amend the terms of the contract or relationship, and we cannot be liable for any failure or delay.

 

Data Retention

We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

 

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we Process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes. In some circumstances you can ask us to delete your data. In some circumstances we will anonymise your Personal Data for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

 

Uses of Personal Data

Your Personal Data may be included in business records e.g., voicemails, e-mails, correspondence, documents, and other work product and communications created, stored or transmitted using our networks, applications, devices, computers or communications equipment. We have this information as it is necessary for our business and therefore in our Legitimate Interests.

 

We require to use any or all types of your Personal Data for litigation purposes depending on the specific nature of the litigation. We rely on the Legal Basis of our Legitimate Interests for this purpose, and the Additional Condition of Legal Claims.

 

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the Legal Basis which allows us to do so. Please note that we may Process your Personal Data without your knowledge or Consent where this is required or permitted by law or regulation.

 

Disclosures of your Personal Data

We share your Personal Data with others in certain circumstances as detailed below.

 

International transfers

Whenever we transfer your Personal Data out of the UK to countries which have laws that do not provide the same level of data protection as the Data Protection Legislation, we always ensure that a similar degree of protection is afforded to it by ensuring that one of the following safeguards are implemented:

 

·       Personal Data is only transferred to countries that have been deemed to provide an adequate level of protection by the UK government, as relevant;

·       Appropriate safeguards are in place including international data transfer agreements, binding corporate rules, standard contractual clauses approved for use, an approved code of conduct, or an approved certification mechanism;

·       Where we use certain service providers, we may use specific contracts approved for use in the UK ; and/or

·       You have provided your explicit consent to the transfer of your Personal Data outside of the UK.

 

Group structure

BFS is part of a group. BFS may also share your data with its parent company P/F Bakkafrost registered in the Faroe Islands. An adequacy regulation has been issued for the Faroe Islands by the UK Government and such transfers do not require any specific authorisation in that regard.

 

Service providers

We contract with third party service providers and suppliers (including contractors and agents) to deliver services. Our service providers change from time to time. We currently use the following categories of service providers:

•           accounting and auditing services;

•           legal and other professional services;

•           IT providers, including the provision of hosting, storage and maintenance/support services.

•           marketing and PR representatives;

•           consultants;

•           banking services;

•           administration services;

•           third party payment processors

•           web and behaviour analytics services. 

 

Legal and regulatory and court orders

We will also provide your Personal Data to third parties where there is a legal obligation to do so, for example to regulators, government departments, law enforcement, tax authorities and any relevant dispute resolution body or the courts or where a court order mandates disclosure. This may include making returns to HMRC.

 

Restructure

We may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the personal data shared will be subject to confidentiality arrangements.

 

Authorised third party

We will provide information about you to any other person who is sufficiently authorised to act on your behalf.

 

Audits

There may be instances where your personal data is reviewed as part of an audit.

 

2. CUSTOMER SECTION
(Existing, Previous or Potential Customers and Voucher Recipients)

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your Personal Data, and which of the Legal Basis we rely on to do so. We have also identified the Legitimate Interests

 

Purpose/Use	Type of data	Legal Basis and Additional Condition
To check whether we can act for you as a new or existing client or customer and carry out all of our due diligence checks which may include anti-money laundering, anti-terrorism, sanctions, fraud and background screening	(a) Identity Data (b) Contact Data (c) Diligence Data	(a) Contract (b) Legitimate Interests (to know our client and to protect our business) (c) Legal Obligation
To register you as a new customer	(a) Identity (b) Contact	(a) Contract
To process and deliver your order for products (including gift vouchers) including: (a)Engage service providers, Manage payments, fees and charges (b) Collect and recover money owed to us	(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications	(a) Contract   (b) Legitimate Interests (to recover sums owed to us)
To enable you to receive the benefit of a voucher.	(a) Identity (b) Contact	(a) Contract (b) Legitimate Interests (to provide you with and allow you to use a gift voucher)
To provide you with information on our products and services	(a) Identity Data (b) Contact Data (c) Feedback Data (d)Communications Data	(a) Legitimate Interests (to help our business grow and make recommendations to you)
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Dealing with your requests, complaints and queries (c) Provide you with information or advertising relating to our products or services.	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Contract   (b) Legal Obligation   (c) Legitimate Interests (to keep our records updated and manage our relationship with you)
To enable you to partake in a prize draw, competition or complete survey/provide feedback	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Feedback Data	(a) Contract   (b) Legitimate Interests (to study how customers use our products/services, to develop them and grow our business)
To meet legal, regulatory, statutory and ethical responsibilities	All Personal Data	(a) Legal Obligation (b) Legitimate Interest of meeting legal requirements (c) Legal Claims (d) Manifestly Public
To disclose your Personal Data to a court or competent authority	All Personal Data	(a)  Legal Obligation (b) Legitimate Interest of meeting legal requirements (c) Legal Claims (d) Manifestly Public
To prevent and detect crime, fraud or corruption	All Personal Data	(a) Legal Obligation (b) Legitimate Interest of meeting legal requirements (c) Legal Claims (d) Manifestly Public

 

 

3. SUPPLIER SECTION

(if you provide services and/or goods to us for the benefit of our customers or clients)

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your Personal Data, on which Legal Basis we rely on and identified our Legitimate Interests.

 

Purpose/Use	Type of data	Legal Basis & Condition
To check whether you can meet our or our customer's requirements	(a) Identity Data (b) Contact Data (c) Diligence Data (d) Accreditation Data	(a) Contract (b) Legitimate Interests (to ensure you can meet the applicable requirements)
To carry out all of diligence requirements, including anti-money laundering, anti-terrorism, sanctions, fraud and background screening	(a)Identity Data (b) Contact Data (c) Diligence Data (d) Accreditation Data	(a)Contract (b) Legitimate Interests (to know our client and to protect our business) (c) Legal Obligation
To pay you for your goods or services	(a) Identity Data (b) Contact Data (c) Financial Data (d) Transaction Data	(a) Contract (b) Legitimate Interests (to recover sums owed to us)
To manage our relationship and Contract with you	(a) Identity Data (b) Contact Data	(a)  Contract (b) Legitimate Interests (to keep our records updated)
To prevent and detect crime, fraud or corruption	All Personal Data	(a) Legal Obligation (b) Legitimate Interests of meeting legal requirements (c) Legal Claims (d) Manifestly Public
To meet legal, regulatory, statutory and ethical responsibilities	All Personal Data	(a) Legal Obligation (b) Legitimate Interests of meeting legal requirements (c) Legal Claims (d) Manifestly Public

 

 

4. STAKEHOLDER SECTION

(purposes of Site Development or other projects)

We keep a list of all those parties working on our projects including Contact Data, Identity Data such as e-mail addresses and phone numbers. We also retain copies of any Communications Data such as letters and/or correspondences sent to such parties in connection with the projects. Other Personal Data may be retained, where necessary for the purposes of projects. This is on the basis of our Legitimate Interests of holding a record of who we have worked with on projects.

 

5. WEBSITE SECTION

(if you visit or use our websites and/or purchase goods from us)

We operate the following website(s):

·       https://www.bakkafrostscotland.com/

·       https://www.nativehebrideansalmon.com/

·       https://www.lochlander.com/

·       https://bakkafrostshop.co.uk/

 

As you interact with our websites, we may automatically collect Usage Data and Technical Data about your equipment, browsing actions and patterns. We collect this data by using cookies, server logs, web beacons and other similar technologies. We use this to perform data analytics on the basis of our Legitimate Interests to improve our website, products/services, marketing, customer relationships and experiences.

We use Shopify to power our website, bakkafrostshop.co.uk. You can read more about how Shopify processes your personal data here: https://www.shopify.com/uk/legal/privacy.

 

Cookies and similar technology

For more information about the cookies we use, please see our Cookies Policy and notices on our websites.

Do not track

We do not alter our website’s data collection and use practices when we see a Do Not Track signal from your browser.

 

Third-party links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our websites, we encourage you to read the privacy policy of every website you visit.

 

6. MARKETING SECTION

(marketing communications or updates)

 

If you are a business contact, for all methods of contact it is necessary for our Legitimate Interests (to develop our products/services and grow our business).

If you are a consumer contact, we will obtain your Consent for email marketing or text marketing unless we can rely on the soft-opt in exemption, in which can we rely on our Legitimate Interests (to develop our products/services and grow our business). For postal marketing and live telephone marketing, we rely on our Legitimate Interests (to develop our products/services and grow our business).

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving the marketing.

 

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which products, services and offers may be of interest to you so that we can then send you relevant marketing communications.

 

You can ask us to stop sending you marketing messages at any time by contacting us (Section 1.3) or using the unsubscribe links.  You can opt out of targeted behavioural advertising by using the relevant search provider's process forms.

If you opt out of receiving marketing communications, you will still receive product or service-related communications that are essential for administrative or customer service purposes for example relating to order confirmations.

 

7. ENQUIRIES AND FEEDBACK SECTION

 

Purpose/Use	Type of data	Legal Basis and Additional Condition
To respond to and deal with any enquiry or complaint you send to us including any media enquiries.	(a) Identity Data (b) Contact Data (c) Communications Data (d) Feedback Data	(a) Legitimate Interests (to respond to your enquiry or complaint).
To show your submitted reviews on our websites and make them available to other users.	(a) Identity Data (b) Contact Data (c) Technical Data (d) Feedback Data (e) Profile Data	(a) Legitimate interests to provide customer reviews.
To assess and manage harmful or illegal content, including: ·       Detecting and filtering spam, abusive language, or unlawful material   ·       Supporting internal risk assessments and content moderation procedures required.	(a) Identity Data (b) Contact Data (c) Technical Data (d) Feedback Data (e) Profile Data	(a) Legal obligation (b) Legitimate Interests of meeting legal requirements (c) Legal Claims (d) Manifestly Public

 

 

You understand that if you leave a customer review on our online shop https://bakkafrostshop.co.uk/ that the information that you submit (other than your email address) will be public. By submitting your review, you agree to Judge.me's terms, privacy and content policies.

 

8. VISITOR SECTION

 

Purpose/Use	Type of data	Legal Basis & Condition
For health and safety purposes so that we know who is present at our premises (e.g., in the event of a fire or other emergency)	Identity Data Premises Data	Legal Obligation Our Legitimate Interests to protect the health and safety of those who attend our premises.
For security purposes, so that can keep our product, premises and staff safe	Identity Data Premises Data	Legal Obligation Our Legitimate Interests to protect the health and safety of those who attend our premises.
For food safety purposes we may collect health information about you	Identity Data Premises Data  Health Data	Legal Obligation Our Legitimate Interests to protect the health and safety of those on our premises. Condition: Public Interest or Consent

 

 

9. COMMUNITY FUND SECTION

(if you benefit from or have applied to our fund)

 

Purpose/Use	Type of data	Legal Basis & Condition
To consider your application	Contact, Identity & Grant Application Data	Contract
To administer and manage the grant	Contact, Identity, Grant Application, Financial & Communications Data	Contract

 

 

 

 

For more information on the Community Fund, see: Bakkafrost Scotland | Community Fund. Applications to the Community Fund are open to organisations rather than individuals and so the majority of Grant Application Data is not Personal Data.

 

Updated as of March 2026.