Data Protection Policy
1.1 In the course of our relationship, we may receive information relating to you and family members. In this Policy, we refer to this information as “personal information”.
1.2 This Policy sets out the basis on which we will process this personal information. Please read the Policy carefully to understand our practices regarding personal information and how we will use it.
2. ABOUT A&G TRAVEL GROUP LTD
2.1 The data processor in respect of personal information is A&G Travel Group Ltd a limited company registered in England and Wales under number 10998113e. Our registered office is at 1 Vicarage Lane, Stratford, London E15 4HF.
2.2 A&G Travel Group Ltd is registered under the Data Protection Act 1998 with registration number 10998113.
2.3 References in this Policy to “A&G”, “we”, “our” and “us” are references to A&G Travel Group Ltd, the data processor.
3. CONTACTING US
3.1 We are not required to appoint a formal data protection officer under data protection laws. However, A&G’s Data Protection Contact is Stephen Ashcroft.
3.2 If you have any questions about this policy or your information, or to exercise any of your rights as described in this policy or under applicable data protection laws, you can contact us as follows:
Data Protection Contact
A&G Travel Group Ltd
Suite 14, Claremont Business Centre
6-8 Claremont Road
By email: [email protected]&Gcorporatetravel.co.uk
By telephone: 0207 183 0216
4. DATA PROTECTION PRINCIPLES
4.1 Anyone processing personal data must comply with the principles of processing personal data as follows: 4.1.1 Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
4.1.1 Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
4.1.2 Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.1.3 Data minimisation – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4.1.4 Accuracy – data must be accurate and, where necessary, kept up to date.
4.1.5 Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
4.1.6 Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
4.2 This Policy describes the personal information that we collect, and explains how we comply with these principles.
5. INFORMATION WE MAY COLLECT
5.1 We collect the personal information as necessary to enable us to book and secure your travel and associated accommodation requirements and to manage and operate our business, and to comply with our legal and industry standard obligations.
5.2 The personal information that we may collect includes, but is not limited to, the following:
• your name;
• home and business address;
• contact details (such as telephone numbers and email address);
• date of birth;
• marital status;
• copies of passport, national identity card, driving licence, bank details and similar documents;
• immigration status;
• other personal information contained in correspondence and documents which you may provide to us; and
• details of any disabilities or dietary requirements.
5.3 You confirm that you are authorised to provide to us the personal information which we shall process on your behalf.
5.4 Where the personal information relates to your family members or unconnected individuals travelling with you it is not reasonably practicable for us to provide to them the information set out in this Policy. Accordingly, where appropriate you are responsible for providing this information to any such person.
6. LEGAL BASIS FOR PROCESSING
6.1 We process personal information on the basis of one or more of the following:
6.1.1 Processing is necessary for the performance of our relationship with you: this relates to all personal data we reasonably need to process to carry out your instructions to secure your travel and associated accommodation requirements.
6.1.2 Processing is necessary for compliance with any legal obligations to which we are subject.
6.1.3 Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data: this relates to our processing for our legitimate marketing purposes, for our management, accounting and administration purposes and for data security.
7. SPECIAL CATEGORIES OF (“SENSITIVE”) PERSONAL DATA
7.1 You may also supply us with, or we may receive, special categories of (or “sensitive”) personal data, which could include personal data but is not limited to:
7.1.1 personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying an individual;
7.1.2 data concerning health or concerning a natural person’s sex life or sexual orientation.
7.2 We process these special categories of personal data on the basis of one or more of the following:
7.2.1 where the data subject has given explicit consent to the processing of the personal data for one or more specified purposes;
7.2.2 where the processing relates to personal data which are manifestly made public by the data subject;
7.2.3 where the processing is necessary for the establishment, exercise or defence of legal claims;
7.2.4 where the processing is necessary for reasons of substantial public interest, in accordance with applicable law. Such reasons include where the processing is necessary for the purposes of the prevention or detection of an unlawful act or for preventing fraud.
8. HOW WE USE YOUR INFORMATION
8.1 A&G shall use personal information and any other information which we may collect for the purpose of:
8.1.1 our provision of travel services to you including associated administration and accounting;
8.1.2 marketing our services;
8.1.3 compliance with any law or regulation and the rules of any applicable governmental, industry body; and
8.1.4 any dealings with any industry body.
9.1 We may use personal information to notify you about offers to other travel related services which we think you may find valuable, for sending you newsletters, invitations to events and similar marketing.
9.2 In this connection we may disclose personal data to our affiliated offices or to third parties providing marketing services to us, or with whom we are conducting joint marketing exercises.
9.3 We may contact you by post, email, telephone, text, SMS or other means.
9.4 You can tell us if you do not wish to receive direct marketing by writing to us by contacting the Data Protection Contact whose details are set out above.
9.5 [If you would like to unsubscribe from any email newsletter or other email marketing, you can also click on the ‘unsubscribe’ button. It may take a few days for this to take effect].
10. EMAIL MONITORING
10.1 Emails which you send to us or which we send to you may be monitored by us to ensure compliance with ABTA, [other ?] standards and our policies. Monitoring is not continuous or routine, but may be undertaken where we reasonably think is appropriate.
11. THIRD PARTY PROCESSORS
11.1 Our information technology systems are operated by us but some data processing is carried out on our behalf [by third parties]. Details regarding these third party data processors can be obtained from our Data Protection Contact whose details are given above.
11.2 Where processing of personal data is carried out by a third party data processor on our behalf we endeavour to ensure that appropriate security measures are in place to prevent the unauthorised use of your data or access to, or use of your data.
12. DISCLOSURE OF PERSONAL INFORMATION
12.1 Personal information will be retained by us and will not be shared, transferred or otherwise disclosed to any third party, save as set out in this Policy.
12.2 We may disclose and share personal information:
12.2.1 to other travel advisers [insurance brokers] and third parties in accordance with your travel requirements;
12.2.2 to our insurers, brokers or advisers, and lawyers or risk managers who we or they may appoint;
12.2.3 if we, acting in good faith, consider disclosure to be required by law or the rules of any applicable governmental, or industry body.
12.3 Should we be requested by certain authorities to provide them with access to your information in connection with your travel and/or associated accommodation requirements, we will comply with that request only to the extent that we are bound by law to do so and, in so far as it is allowed, we will notify you of that request or provision of information.
13. YOUR RIGHTS
13.1 Access to your information and updating your information
13.1.1 You have the right to access information which we hold about you. If you so request, we shall provide you with a copy of your personal information which we are processing (“subject access request”);
13.1.2 You also have the right to receive your personal information in a structured and commonly used format so that it can be transferred to another data controller (“data portability“).
13.1.3 We endeavour to ensure that your personal information is accurate and up to date and you may ask us to correct or remove any information you think is inaccurate.
13.2 Right to object
13.2.1 You have the right to object at any time to our processing of your personal information for direct marketing purposes.
13.3 Where we process your information based on our legitimate interests
13.3.1 You also have the right to object, on grounds relating to your particular situation, at any time, to processing of your personal information which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
13.4 Your other rights
13.4.1 You also have the following rights under data protection laws to request that we rectify your personal information which is inaccurate or incomplete.
13.4.2 In certain circumstances, you have the right to:
(i) request the erasure of your personal information erasure (“right to be forgotten”);
(ii) restrict the processing of your personal information to processing to which you have given your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of others.
13.5 Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.
14. EXERCISING YOUR RIGHTS
14.1 You can exercise any of your rights as described in this policy and under data protection laws by contacting the Data Protection Contact.
14.2 Save as described in this policy or provided under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
14.3 Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm that person’s identity.
15. SECURITY OF YOUR INFORMATION
15.1 We store your information in [hard copy and in] electronic format. We use industry standard technical and organisational measures to protect information from the point of collection to the point of destruction. For example:
15.1.1 [Hard copy information files are restricted to authorised individuals]
15.1.2 We use, as appropriate, encryption, firewalls, access controls, policies and other procedures to protect information from unauthorised access.
15.1.3 Where appropriate, we use pseudonymisation and / or encryption to protect your information.
15.2 We will only transfer personal data to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
15.3 Unfortunately, the transmission of information via the internet is not completely secure. Although we will endeavour to protect your personal information, we cannot guarantee the security of your data transmitted over the internet. In most, if not all instances, we would expect to use a secure transfer site for this purpose.
16. INFORMATION RETENTION PERIODS
16.1 Personal information received by us will only be retained for as long as legitimately necessary. Following the end of our relationship we will retain your information for as long as necessary and permitted for legal and legitimate business purposes. After this period, your personal data will be securely destroyed in accordance with our Data Retention Policy. Further details regarding our data retention policy can be obtained from our Data Protection Contact whose details are given above.
17.1 The Data Protection Contact are customer services who can be contacted at [email protected]&Gcorporatetravel.co.uk to whom complaints should be addressed.
17.2 In addition, you have the right to complain to the Information Commissioner’s Office about our data processing activities in relation to your personal information if you think they infringe applicable data protection laws (ICO helpline on 0303 123 1113).
18. CHANGES TO THIS POLICY
18.1 We may change this Policy from time to time. The current version will always be available from us in hard copy or on our website.
18.2 This Policy was last updated on 15th March 2018.