Data Protection Policy

This Data Protection Policy fulfils our requirements under the GDPR Article 5(2) accountability principle. We need to gather and use certain information about visitors, as defined in the Privacy Policy. We will ensure that all personal data that we hold will be:

• Processed lawfully, fairly and transparently
  • To ensure data processing is lawful, fair and transparent, the way in which we process personal data is detailed within our privacy notice. Our privacy notice will be kept up to date and reviewed every year in line with our policy and security document review schedules.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation)
  • We will be clear about what our purposes for processing data are. We will record these purposes in our privacy notice. We will not use the personal data for any other purpose unless this is compatible with our original purpose, we get consent, or we have a clear obligation or function set out in law.
• Adequate, relevant and limited to what is necessary (data minimisation)
  • We will make sure that the personal data we are processing is sufficient to properly fulfil our stated purpose, relevant to that purpose and limited to what is necessary.
• Accurate and kept up to date (data accuracy)
  • We will take all reasonable steps to ensure the personal data we hold is not incorrect. We will keep the personal data updated, if necessary for its purpose. If we discover that personal data is incorrect, we will take reasonable steps to correct or erase it as soon as possible.
• Kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation)
  • We will not keep personal data for longer than we need it.
• Processed in a manner that ensures appropriate security of the personal data, including protection against accidental or unauthorised access to, or destruction, loss, use, modification, or disclosure of personal data (integrity and confidentiality)
  • We secure personal data using [passwords, two factor authentication, encryption, clarity on which systems must be used]

Rights of individuals

Under the UK GDPR Individuals have the right to access their personal data and any such requests made shall be dealt with in line with legal requirements.

Breaches

A breach could include:

• access by an unauthorised third party to personal data;
• deliberate or accidental action (or inaction);
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission; and
• loss of availability of personal data.

Where there is a likely risk to individuals’ rights and freedoms, we will report the personal data breach to the ICO within 72 hours of being aware of the breach. Where there is also a likely high risk to individuals’ rights and freedoms, we will inform those individuals without undue delay. We will keep a record of all personal data breaches reported and follow up with appropriate measures and improvements to reduce the risk of reoccurrence.

Data Protection Impact Assessments

The personal data we store and use does not result in a high risk to the rights and freedoms of individuals so Data Protection Impact Assessments (DPIAs) against data types we store and use are not required. The annual reviews of this policy and our privacy notice are sufficient to ensure that the nature, scope, context, purpose and compliance of our data storage and use is of low risk.

Privacy Notice

We collect and use the following personal data:

• Lead booker name, address, email and phone number, for the purpose of communication.
• Visitor bank details, for the purpose of repayment of deposit, where necessary.
• Names and nationalities of all guests of or over the age of 16.
• For all guests who are not British, Irish, or nationals of Commonwealth nations additional identification details such as passport number and place of issue.

The personal data is not shared with any third parties, with the exception of:

• Bank details which are used in online banking and in no other location.
• To comply with applicable law, regulation, court order or other legal process.

How data is used:

• To process bookings, communicate during the stay, and comply with legal or insurance obligations.

Visitor personal information is retained for the duration of a stay and 12 months thereafter, in accordance with The Immigration (Hotel Records) Order 1972.

Visitor bank data is not retained once the purpose has been completed.

All data subjects have the right to request to view their personal data we hold.

All enquiries about this notice should be addressed to stay@theshelterstone.co.uk.