7Seas Holidays Limited is committed to protecting and respecting your privacy. This notice sets out how we will use any personal data that we hold about you.
General Data Protection Regulation
GDPR is intended to be an evolution in the way that data is protected rather than a revolution. Many Members will have process and systems in place that go a long way towards compliance with the rules.
The GDPR requires you to have clear and robust processes in place when handling personal data relating to your customers, your staff or other persons who come into contact with your business.
Further details on the GDPR and on data protection more generally can be found on the website of the Information Commissioner’s Office (ICO) www.ico.org.uk
Information to be provided to data subjects
The GDPR sets out the information that you must provide to the people whose data you hold.
The information provided must be:
• concise, transparent, intelligible and in an easily accessible form;
• in clear and plain language;
• free of charge.
Where you collect the data directly from the data subject you must provide them with the following information:
|The identity and contact details of the data controller or the data controller’s representative.
|Your company will be the data controller where you are collecting the data directly from the data subject for your own purposes.
|The contact details of the data protection officer where one is appointed.
|You must appoint a data protection officer (someone with specific expertise in data protection) for the business if the core activities of the business consist of data processing operations (eg. the collection, storage, use and disclosure of personal information), which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or consist of processing, on a large scale, special categories of data. Special categories of data includes data that reveals racial or ethnic origin (such a passports) or religious belief and data concerning health.
If you are not required to appoint a data protection officer, it is good practice in any event to have a named individual who is responsible for data protection matters.
The GDPR does not define what constitutes large-scale processing. The following factors should be considered when determining whether the processing is carried out on a large scale:
the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
the volume of data and/or the range of different data items being processed
the duration, or permanence, of the data processing activity
the geographical extent of the processing activity.
|Why you are processing the data and the legal basis on which you are processing it.
|You need to explain what you are going to do with the data and why you are allowed to hold it under GDPR. This might be because:You have obtained the consent of the person, or, if a child, their parent or guardian; or
the processing is necessary in relation to a contract which the person has entered into for a holiday or other arrangement or because they have asked for something to be done so they can enter into a contract; or
you must process the data because of a legal obligation that applies to you (not an obligation under a contract); or
the processing is in accordance with the legitimate interests condition (this is interpreted narrowly so cannot be used to simply describe the ordinary business interests a company may have to override the need for other legal bases).
|Where you are relying on the legitimate interest condition, what those legitimate interests are.
|In order to rely on this reason for processing the data you must be able to show that certain requirements apply:
The first requirement is that you need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it. GDPR says that the processing of personal data for direct marketing purposes may be regarded as being carried out for a legitimate interest.
The second requirement, once the first has been established, is that the legitimate interests must be balanced against the interests of the individual(s) concerned.
Finally, the processing of information under the legitimate interests condition must be fair and lawful and must comply with all the data protection principles such as transparency, accuracy, relevance and security https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/principles/
The ICO has produced detailed guidance on the use of the legitimate interests basis https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/
|Who you will be sharing the data with.
|This will be a list of suppliers where that is possible or the categories of suppliers eg airlines, hotels etc. When you’re sharing and the subsequent use of data is based on consent, data subjects must be informed of the identity of data controllers relying on that consent.
|Where applicable, the fact that you intend sending the data outside of the EEA and what safeguards are in place.
|Travel companies are likely to be sending data to countries outside the EEA and, if you do, you should explain whether the European Commission has decided that the country has an adequate level of protection and, if not, whether there are adequate safeguards in place with the organisation receiving the data such as standard data protection clauses in the form of the template transfer clauses adopted by the Commission; .
Where neither of those applies you can only send data outside of the EEA where the transfer is:
made with the individual’s informed consent;
necessary for the performance of a contract between the individual and the organisation receiving the data or for pre-contractual steps taken at the individual’s request.
Remember that where the data concerned is special category data, you will need the data subject’s consent to handle the data.
|How long you will be holding the data for or the criteria that you use to determine what any retention period will be.
|You should not be holding data for longer than is necessary for the relevant purpose or purposes. After that period it should be deleted.
|The fact that the data subject has the right to request access to the data held about them; rectification of any errors; erasure of the data where appropriate; as well as the right to data portability.
|Individuals have the right to obtain:
confirmation that their data is being processed;
access to their personal data
You cannot charge for providing this information and you must provide the information within one month of receipt of the request.
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. They can also request the deletion or removal of personal data where there is no compelling reason for its continued processing (the right to be forgotten).
This applies where:
the personal data is no longer necessary for the purpose which you originally collected or processed it for;
you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
you are relying on legitimate interests as your basis for processing, the individual objects to the
processing of their data, and there is no overriding legitimate interest to continue this processing;
you are processing the personal data for direct marketing purposes and the individual objects to that processing;
you have processed the personal data without a proper legal basis;
you have to do it to comply with a legal obligation; or
you have processed the personal data to offer services online (information society services) to a child.
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the establishment, exercise or defence of legal claims.
The right to data portability applies when processing is carried out by automated means; and is based on consent or because the processing is necessary for the performance of a contract; and where the data has been provided to the data controller by the individual. “Provided by” would include data generated by observing the individual’s activity, e.g. past bookings and expenditure.
The right allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. You will need to provide the information in a structured, commonly used and machine readable format that can be easily transferred to another controller and you cannot charge for it.
|Where the data is processed due to the consent of the data subject, their right to withdraw their
|You should track and document when an individual gives their consent and when they withdraw that consent.
|The data subject’s right to complain to the relevant supervisory authority.
|For companies in the UK and, in any event, for data subjects born, working or living in the UK, this will generally be the Information Commissioner’s Office.
|Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
|If you are relying on the fact that you need to process the data in order to comply with statutory or contractual requirements or so that the data subject can enter into a contract, you should explain the consequences of not providing the data.
Where you have not collected the data directly from the data subject you must provide them with the additional following information:
|The categories of personal data that you hold.
|You should explain what types of data you hold about individuals where the individuals have not given you this information themselves.
|The source from which the data has been obtained.
|You should explain where the data has been obtained from if not directly from the data subject and whether it came from a publically accessible source.
When and how should the information be provided?
The information should generally be provided to the data subject when the data is collected. It is obviously not practical to provide all of the necessary information every time that you collect each additional piece of data from a customer, staff member or other data subject. However, neither is it reasonable to simply list the information in one document that sits on your website without making specific reference to it whenever data is collected.
The best approach for delivering the necessary information will depend on how you collect the data. In a face to face situation you can explain why you are collecting the data. If you need the person’s consent, for example where you will be sending details of their health needs to another supplier, you can explain why and record their consent on the booking. You can then give them a copy of the fuller written privacy notice.
If you collect the data online you can provide brief details of why you need the specific data that you are asking for and provide a link through to the full Privacy Notice on your website.
The ICO has produced helpful information on Privacy Notices which can be found on their website.