Policy document – The Away Company Ltd
General Data Protection Regulation (GDPR).
Introduction
The GDPR regulations are an evolution of the existing Data Protection Act of 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR). GDPR adds to the requirements The Away Company Ltd already have regarding data handling.
GDPR is designed to prevent the sharing of information between companies, and thus cutting down on nuisance emails and phone calls. A simple analysis of our business shows that we do not access any data other than the information specially given to us by our clients (potential, current and previous clients). We do not purchase or accept contact lists from any other source. However, we do keep and use personal data obtained from a large number of individuals.
Personal Data
In our sphere of activity, personal data can include (but is not limited to) information such as:
- Name
- Email address
- Mobile phone number
- Home phone number
- Bank account details
- Home addresses
- Date of birth
- Passport number & expiry date
- Driving licence number
Clear consent
When individuals register their personal data with us, we will always obtain their permission to store and use that data only for the purposes that it was provided. We will never send emails or correspondence of any kind to individuals who have not given their consent for us to hold their data.
Use of data
At the point of data collection, we will explain clearly to enquirers or clients how we intend to lawfully use the data. Uses can include –
- Sending information requested regarding availability, pricing etc of holiday rentals to people who enquire via our website or by telephone
- Contacting the client during the booking process and prior to, during and after their stay in one of our properties
- Providing name and, if necessary, contact details of guests to local agents
- Registering guests’ details with the Guardia Civil prior to their stay
- Providing customer details to our car hire partners when making a reservation
- Returning damage deposits by bank transfer when this method is requested by the client
From the above, we can separate data into four different areas.
- First, the data handled by The Away Company staff
Data given to us will be treated appropriately – kept securely and disposed of when no longer required. Any data that is given verbally (for example someone giving their address or bank details over the phone) will not be repeated back to the person over the phone if anyone else could overhear the conversation.
Data that is no longer required will be securely disposed of.
- Second, data handled and stored by systems that are used by The Away Company – these include
1. Internal computer systems and databases.
2. The Away Company websites
3. PayPal.
4. Our email provider.
5. HomeAway/ TripAdvisor advertising and booking platforms or similar
To an extent these systems are run by separate companies and those companies are responsible for providing a system that complies with the regulations. Broad Court in turn will check that those companies are GDPR compliant and are prepared to confirm this to us.
- Third, Data shared with third parties such as the Guardia Civil, local agents or car rental (Data Processors)
We have to share data with third parties in order to satisfy the legal requirement to register guests staying at licensed properties with the local Guardia Civil. We also need to provide the local agents with the name of the lead guest staying at a property, and when booking car rental we need to provide the name, date of birth and contact telephone number of the client.
In order to safeguard this data, our policy is that any such third parties, such as local agents must sign an agreement with The Away Company confirming that a) any such data will be kept securely whilst it is needed for the purpose of the property rental and b) it will be destroyed once it is no longer needed.
CarGest (car rentals) and the Guardia Civil have their own privacy policies which we will request copies or before data is shared with them.
- Fourth, Data shared with third parties for marketing purposes
We do not share any data with third parties for marketing purposes.
Data breaches
All members of staff are aware of their responsibilities in regard to safeguarding data whilst it is being used by them. All practical steps are taken to ensure this data is kept safe and under lock and key with alarms set when the office is closed. Our network is actively protected and monitored to detect and prevent any attempts to access our data from the Internet, and also to generate a report should any incident occur that may have led to a data breach. If any such report is generated, or any other incident such as a break-in occurs, it will be reported and then investigated promptly.
Individuals Rights
GDPR introduces and enhances the rights individuals have. These rights include –
- The right for data to be deleted
GDPR rules provide data subjects with the right to request that their information is erased from our records. In most cases any such request will be acted on promptly and all data disposed of safely.
However, it is not possible for us to remove some types of data. The Away Company has a legal obligation to keep guest registration details as presented to the Guardia Civil for a period of three years. Clients who book with us need to agree that their data can be kept for this period of time.
- The right to be informed about how we will use the data (covered above)
- The right of access to the data we hold on individuals
If an individual requests access to the data we hold regarding them, we will supply this information within a month. Invariably the basis of this data will be the information supplied by the individual to us when they first registered with us, as we do not obtain data from any other source. This could also include any email or other correspondence shared with that individual. We do not make a charge for the supply of data.
- The right to have data corrected
- The right to restrict processing
- The right to object
- The right not to be subject to automated decision making including profiling
Our appointed data controller is Tina Corbett, who can be contacted on tina@theawaycompany.com