In this policy, the following expression shall have the following meaning:-
allseven Group Ltd and its subsidiaries, namely
- allseven24 (GB) Ltd
- allseven24 PTY Ltd
- allseven24 (US) Inc
- allseveniQ Ltd
We are committed to protecting your privacy and take every precaution with your personal information, only ever using it in accordance with the Data Protection Act 1998 and Electronic Communications (2000/58/EC) and the General Data Protection Regulation.
- that The Company is the processor;
- information collected from/about data subjects, which will be all information required for The Company to process traveller reservation booking requirements to clients as per the contract with those clients;
- the uses of data;
- the circumstances in which data is disclosed to third parties;
- that data will not be used or disclosed for marketing purposes;
- that data is stored on allseven24’s secure servers
- that data subjects have, in relation to their data, the right to/of:
- access it;
- request that it be rectified;
- request its erasure;
- restrict its processing;
- object to processing;
- lodge a complaint with a supervisory body;
- the period for which data will be stored
The legal basis for processing personal data is that this is necessary for the performance of the contracton the basis of legitimate business purposes which include some or all, of the following:
- Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of the customer;
- To identify and prevent fraud;
- To enhance the security of our networks and information systems.
Whenever we process data for these purposes we will ensure that we always keep Personal Data rights in the highest regard and take into account all of your data protection right under any and all current UK legislation.
You have the right to object to this processing at any time. If you wish to do so, please email firstname.lastname@example.org. Please bear in mind that if you object, this may affect our ability to carry out the tasks above which may be of benefit to you.
What types of information do we process?
- the contracts between The Company and our clients;
- the data provided to it by each client;
- Personal Information;
- Salutation, name, surname, address, company name, contact numbers, email addresses, travel itinerary details, date of birth, passport information, form of payment, airline cards and preferences;
- Any other information shared with us to assist with travel plans;
- Call log times and reason codes
What purpose is the personal information used?
- Personal data will normally be part of a travel itinerary and is required to process the reservation and issue relevant tickets and provide other travel related services;
- Enhanced customer service;
- Fulfil customer requests;
- Provide accurate call reporting, data analysis;
- Manage support queries;
- Invoicing purposes
In accordance with the obligations that data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed, The Companydoes not collect any data which is not necessary for it to fulfil its contractual obligations. It does not collect data for a general or unspecified future use.
The requirement for personal data to be accurate and kept up to date, is dependent on clients notifying The Companyof changes to the data which it has previously provided. There are requirements in the relationship with both parties that the data provided to The Company is accurate. The Company will not be able to tell without notification where information has changed. Upon notification of changes, The Company erases or rectifies data immediately.
Who is the Personal Information shared with?
- Third parties, suppliers, service providers and employees of The Company;
- If necessary: (a) under applicable law including laws outside your country of residence; (b) to comply with legal processes; (c) to respond to requests from public and government authorities including public and government authorities outside your own country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect yours and our own rights, privacy, safety or property; (g) to permit us to pursue available remedies or limit the damages we may sustain.
The Company only allow third party service providers to see personal data for specified purposes and in accordance to The Company instructions. Any sharing of personal information using third party platforms would be governed by the terms of the third party platform used.
The Company retains personal data for as long as necessary to fulfil the purposes it was collected for including for the purposes of satisfying any legal, accounting or reporting requirements. Please note that on any forms where you provide us with your details, we may specify the period of time that we intend keep the data according to the specific proposes defined in the form.
Integrity and Confidentiality
We use reasonable organisational, technical and administrative measures to protect Personal Information under our control. Unfortunately, no data transmission over the Internet or data storage system can be guaranteedto be 100% secure. Please do not send us sensitive information through e-mail. If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us. Please note that e-mail communications will not necessarily be secure; accordingly you should not include credit card information in your e-mail correspondence with us.
When Personal Data is processed on behalf of The Companyaccess is limited to those who have a business need to know, Personal Data will be processed in accordance with the instructions of The Company and those who have access are subject to a duty of confidentiality.
The Company have in place internal procedures and policies to deal with any suspected personal data breach and will notify individuals and any applicable regulator of a breach where they are legally required to do so.
All staff are bound by these policies. When The Companyemployees’ commence employment, they are given induction training and provided with a handbook and copies of all appropriate policies that will apply to the work they are undertaking. Employees are required to sign their terms and conditions which contain confidentiality obligations and obligations to comply with The Company policies. Employees will be given access to client data that is relevant to them and they will only have access to screens allowing them to make changes or to action items if these are relevant to their role and they have the appropriate authorities. Employees are encouraged to flag up any issues that they become aware of in relation to data. Only authorised contacts at clients may give instructions to The Company staff and receive information from The Company. Employees are required to follow set internal methodology when completing their work and as such minimises any failure to comply with internal policies, but these would be easily identified and dealt with appropriately.
The Company currently has the following measures in place:
- Dedicated project team with responsibilities of key areas of GDPR, closely following the Information Commissioners Office guidelines;
- Data analysis completed – what data we hold, where it came from and who it is shared with. This will enable allseven24 to ensure that only personal information required for the service delivery is collected and that such information is properly processed;
- Staff awareness training;
- Secure anti-virus programme;
- Immediate lockdown of all systems and passwords when an employee contract ends;
- Where appropriate, changes to software, technical procedures and processes will be made in support of GDPR obligations;
- Inventories of all equipment;
The Company are currently implementing the following measures:
- Two factor authorisation;
- Website access controls;
- email scanning through a filtering service
As is currently required by the Data Protection Act, The Company is registered with the Information Commissioner’s Office (“ICO”) as a data processor. There is a contract in place between The Company’s and its clients documenting allseven24’s obligations.
The Companyhas a data security breach incident management policy which is based on guidance given by the ICO. This policy applies to both suspected and confirmed incidents. It contains a reporting structure within The Company, naming persons responsible for assessing incidents, including a named individual with overall responsibility for data protection issues, being Phill Spokes. All data security breaches are centrally logged to ensure oversight of the types and frequency of breaches - this, in turn, enables ongoing policy making, changes to systems and training to be given as may be required. In accordance with this policy, The Companydoes and will continue to comply with its obligations to notify the ICO and data subjects of data security breaches as and when it is required to do so. Where there is a data security breach, allseven24 documents its effects and any remedial action The Companyhas taken.
The customer, as Controller, remains solely responsible for the lawfulness of the Personal Data and its documented instructions.
Under certain circumstances individuals can exercise rights under data protection laws. EU citizens and residents may exercise these rights relating to their personal data, or contact The Company for data protection related questions, by email to email@example.com.
For the following rights please make a reference to the following in the request:
- Subject access requests - Right to access – request for access to personal data;
- Rectification of data quality;
- Right to erasure;
- Data portability;
- Right to object – object to processing of personal data for the purpose of analytics;
- Right to information about;
- The Company third party service providers who process personal data on behalf of The Company;
- transfers to third countries – information about data transfers outside EEA
Subject Access Requests
The Company will require authentication of your identity and possibly additional information to confirm that the rights that you may have under data protection laws are being exercised correctly. Information will be provided free of charge. A ‘reasonable fee’ may apply if the request is manifestly unfounded or excessive, particularly if it is repetitive. Charges will be applied based on the administrative cost of providing the information.
Information will be provided without delay and at least within one calendar month of receiving the request. This may be extended by a further two months for complex or numerous requests.
Rectification of Data Quality
Individuals have the right to have personal data rectified if it is inaccurate or completed if it is incomplete. Responses will be without delay and at least within one month of receipt of the request. This may be extended by a further two months for complex or numerous requests.
The Company will regularly review the information we process internally and with our customers to identify when action is required. Regular reviews of our systems and processes will ensure that the information continues to be adequate for the purposes we are processing it for.
Right to Erasure
EU citizens and residents have the right to be forgotten and can request the erasure of personal data:
- whenit is no longer necessary for the purpose The Company originally collected/processed it for
- if you have an objection to our reasoning of collecting/processing the data for legitimate interest purposes;
- ifThe Company were processing and personal data for direct marketing purposes and the customer objects;
- if it was unlawfully processed;
- if it has to be erased in order to comply with a legal obligation; or
- if it is processed for information society services to a child
Responses will be without delay and at least within one month of receipt of the request. This may be extended by a further two months for complex or numerous requests.
We may refuse to comply with a request for erasure if we are processing the personal data for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- to perform a public interest task or exercise official authority;
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes;
- to exercise or defence of legal claims;
- for public health purpose in the public interest; or
EU citizens and residents have the right to obtain and reuse their personal data for their purposes across different services.
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or forthe performance of a contract; and;
- where the processing is carried out by automated means
Responses will be without delay and at least within one month of receipt of the request. This may be extended by a further two months for complex or numerous requests.
Right to Object
EU citizens and residents have a right to object to the processing of their personal data in certain circumstances including:
- Any processing of information undertaken for the purposes of direct marketing;
- Grounds relating to an individual’s particular situation based on legitimate interests, the performance of a task in the public interest or exercise of official authority
The right to object is not absolute, however The Company will stop processing personal data unless we are able to demonstrate compelling legitimate grounds for the processing, which overrides the interests, rights and freedom of the individual.
Although The Company aims to carefully address any request and/or claim from you, as well as carefully process your personal information, you are entitled to file any claim or complaint before the relevant data protection authorities, if the answer provided by The Company does not meet your expectations.
What is GDPR?
On the 25th May 2018, the EU-wide General Data Protection Regulation (GDPR) will come into force.
The GDPR (General Data Protection Regulation) is concerned with respecting the rights of individuals when processing their personal information. This can be achieved by being open and honest with employees about the use of information about them and by following good data handling procedures. The regulation is mandatory and all organisations that hold or process personal data must comply.
The regulation contains 6 principles.
- Personal data should be processed fairly, lawfully and in a transparent manner;
- Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes;
- The data should be adequate, relevant and not excessive;
- The data should be accurate and where necessary kept up to date;
- Data should not be kept for longer than necessary;
- Data should be kept secure
All staff have a responsibility to ensure that their activities comply with the data protection principles. Line managers have responsibility for the type of personal data they collect and how they use it. Staff should not disclose personal data outside the organisation's procedures, or use personal data held on others for their own purposes.
Who does GDPR apply to?
The GDPR applies to any organisation that handles personal data.
What is personal data?
Personal data is data that relates to an identified or identifiable individual and is:
- processed electronically;
- kept in a filing system;
- part of an accessible record, for example an education record;
- held by a public authority
This includes data that does not name an individual but could potentially identify them e.g. a payroll or staff number. Employers should ensure staff are aware that any personal data they have in their possession will also be subject to the regulation. For example, if a manager has a written copy of contact details for their team or an employee keeps customer names and numbers on post it notes on their desk.
If employers are monitoring their staff, for example to detect crime, they are required to make their workers aware of the nature and reason for the monitoring. This is applicable whether the monitoring is taking place using CCTV, accessing a worker's email or telephone calls or in any other way.
How long can information be kept?
Information must not be kept for longer than is necessary.
While there is no set period of time set out within the GDPR, some records must be kept for a certain period of time in accordance with other legislation. For example, HMRC require payroll records to be kept for three years from the end of the tax year that they relate to.
How can employers comply with the regulation?
To ensure its compliance to the GDPR, an organisation must:
- have a clear retention policy for handling personal data and ensure it is not held for longer than is necessary;
- have a legal basis for acquiring and/or using any personal data;
- ensure that all staff are aware of the retention policy and follow it;
- respond to subject access requests (sometimes called personal data requests) within one month;
- if there is a personal data breach that is likely to result in a risk to the rights and freedom of an individual, inform the ICO within 72 hours and, if the risk is deemed to be high, also inform the individual concerned
A worker's right to request their personal data
Workers have a right to access information that an employer may hold on them. This could include information regarding any grievances or disciplinary action, or information obtained through monitoring processes.
If a worker wants to see their personal data, they should speak to their employer. Most requests for personal data can be provided quickly and easily.
If the employer is unable or unwilling to agree to the request, a worker could make a Subject Access Request. A subject access request should be in writing and include:
- full name, address and contact details;
- any information used by the organisation to identify the worker (account numbers, unique ID's etc.);
- details of the specific information required and any relevant dates.
Arrangements should already be in place to deal with Subject Access Requests as a 40 day time limit is currently stipulated under the Data Protection Act. This time limit shortens to one month under the GDPR.
While the Data Protection Regulation allow an employer to charge a fee for Subject Access Requests, fees may only be required under GDPR if the requests are "manifestly unfounded or excessive".
If an employer refuses a request they must inform the individual within one month:
- why they have refused the request;
- that the individual has the right to complain to the supervisory authority and to a judicial remedy
For further information, please contact firstname.lastname@example.org