Crai Valley Eco Lodges Ltd - Privacy Policy

Introduction

Crai Valley Eco Lodges Ltd is committed to protecting your data and information. We believe it is important to look after your data and allow you to retain control over how it is used.

We want to ensure that your data is processed fairly, lawfully, and in accordance with your rights under the General Data Protection Regulation (GDPR; EU 2016/679). Please read the full Privacy Statement carefully to understand our policies and practices regarding your information and contact our Data Protection Officer at craivalleyecolodges@gmail.com if you have questions.

Due to the nature of the services we provide to our customers, it may be necessary to hold and process personal data regarding customers. This personal data is covered by the General Data Protection Regulations 2016 (“GDPR”).

For the capture and use of data relating to customers, there are some key legal requirements with which we need to comply. The purpose of this Privacy Statement is to set out how we meet these requirements and to ensure that every client who provides data to us understands the legal basis on which that data is held, what the data is used for, how it is stored and who has access to it.

The Privacy Statement is one element of how we fulfil the obligations of GDPR. This document should be viewed in conjunction with the following policies and procedures:

  • Data Breach Notification Procedure

  • Data Processing Agreement

  • Record Retention and Protection Policy

Key terms

GDPR is an extensive piece of legislation that seeks to protect the right to privacy of individuals. There are some key terms in relation to the approach that we are using in relation to GDPR.  These are:

  • Data Subject – the individual to whom the data relates;

  • Personal Data – any information relating to an identified or identifiable person;

  • Processing – any action performed with the personal data (collection, recording, sharing, storing, etc.);

  • Controller – the person or entity who determines what data to collect and the use of that data;

  • Processor – the person/people who collects and processes the data as per instructions from the Controller.

Key roles in data use

For provision of our services, the following roles fulfil duties under this Privacy Statement:

  • Controller – our directors and employees

  • Processors – our directors and employees

The six privacy principles

GDPR sets out six privacy principles with which we must comply.  These principles are:

  • Purpose Limitation – we must clearly state the reason that data is being held and can then only process data for that reason. If we want to use the data for a different reason to that for which the data was collected, then we must inform the client

  • Data Minimisation – we must only collect the data that is needed

  • Accuracy – we must take all reasonable steps to ensure that the data held is accurate

  • Storage Limitation – we must only keep the data for as long as it is necessary

  • Integrity and Confidentiality – we must take all reasonable steps to ensure that the data held is kept securely and is only shared with people who have a legitimate need to have access to it

  • Lawfulness, fairness and transparency – we must have a legal basis for processing data and must be transparent about the data held, why it is held, how it is held, who has access to it and for how long it is retained

Our legal basis for processing data and how we will use it

GDPR states that data can only be processed for one of six reasons – consent, contract, legal obligation, vital interests, public task and legitimate interests. Of these, the reasons that we hold data relating to our clients’ employees and customers are:

  • “Consent”, where consent is defined as where an “individual has given clear consent for us to process their personal data for a specific purpose”

  • “Contract”, where contract is defined as “a lawful basis for processing data if a company is required to hold the data to fulfil their contractual obligations”

  • “Legal obligation”, where legal obligation is defined as “the processing necessary for us to comply with the law (not including contractual obligations)”.

We will not sell your data to third-parties nor use the information held about you (and information about others) to provide you with advertising or other services that you have not requested.

The data that is typically held

  • Website contact form

When you navigate our websites or contact us, we may request or you may choose to provide us with certain information. This may include Personal Information, such as name, company, job title, email address and records and copies of your correspondence with us.

If you contact us through one of our contact forms, we will assume you have a legitimate interest to do so. We will continue to hold your information for 24 months after your last interaction with us. You can request for your data to be erased at any point by emailing craivalleyecolodges@gmail.com.

We use third party solutions, WordPress and MailChimp, to store and manage our contact and e-newsletter requests.

  • Customer account information

As a customer of our properties, we may collect and process information such as your name, email address and company.

We will hold your information for the duration of our Agreement with either yourselves or your employer.

  • Job application and employee information

We process and store Personal Information for the purpose of assessing your suitability for employment at Crai Valley Eco Lodges Ltd and/or to fulfil our statutory obligations as an employer. This may include information such as your name, date of birth, employment and education history, contact information and information of a sensitive nature that you chose to disclose to us.

We store relevant employee data for the duration of your employment and for the legally required amount of time after that.

We will hold your job application for a total of 12 months after our last communication. This does not affect your rights as an individual under GDPR.

  • Usage details and cookies

When you visit www.craivalleyecolodges.co.uk we may collect information about how our website is used. We do this to find out things such as the number of visitors to the various parts of the site so that we can improve our service to you.

We use a third-party service, Google Analytics, to collect standard internet log information and details of your behaviour patterns. This information is processed in a way which does not identify anyone. We do not make and do not allow Google to make, any attempt to find out the identities of those visiting our website.

Any Personal Information collected on our website is obtained via our contact forms. We will make it clear when we collect Personal Information and will explain what we intend to do with it.

We use cookies to collect information about how our website is used. For more information on how we use cookies, please refer to our Cookie Policy.

Where we have collected and processed data on individuals who may be Directors of UK businesses, we have done so on the basis of legitimate interest. In doing so we have considered the following:

  • We have checked that legitimate interests is the most appropriate basis

  • We understand our responsibility to protect individual’s interests

  • We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision

  • We have identified the relevant legitimate interests

  • We have checked that the processing is necessary and there is no less intrusive way to achieve the same result

  • We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests

  • We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason

  • We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason

  • We have considered safeguards to reduce the impact where possible

  • We have considered whether we can offer an opt out

  • Although our LIA has not identified a significant privacy impact, we have conducted a DPIA regardless

  • We keep our LIA under review, and repeat it if circumstances change

  • We include information about our legitimate interests in our privacy information

‘Privacy by design’

We have adopted the principle of ‘privacy by design’ for our systems which collect or process personal data. We will ensure that the definition and implementation of all new or significantly changed systems (that collect or process personal data) will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments. The data protection impact assessment will include:

  • Consideration of how Personal Data will be processed and for what purposes;

  • Assessment of whether the proposed processing of Personal Data is both necessary and proportionate to the purpose(s);

  • Assessment of the risks to individuals in processing the Personal Data;

  • Consideration of which controls are necessary to address the identified risks and demonstrate compliance with legislation.

Disclosure of your information 

We use a number of third party providers to help us run our businesses. Such suppliers may have access to your personal information or we may share or send it to them. This includes IT and system administration services, professional advisers including lawyers, bankers, auditors and insurers based and regulators and other authorities.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 

Data Protection Officer 

A defined role of Data Protection Officer is required under the GDPR if an organisation is a public authority, if it performs large-scale monitoring, or if it processes particularly sensitive types of data on a large scale. Based on these criteria, we have appointed a DPO and they can be reached using the craivalleyecolodges@gmail.com email address.

Breach notification 

We always aim to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms

of individuals, we will inform the relevant Data Protection Authority within 72 hours. This will be managed in accordance with our Data Breach Notification Procedure which sets out the overall process of handling information security incidents.

Your rights

Under the General Data Protection Regulation (GDPR), you have rights as an individual, which you can exercise in relation to the information we hold about you.

  • Right of access – you have the right to request a copy of the information that we hold about you.

  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

  • Right to erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records.

  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.

  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.

  • Right to object – you have the right to object to certain types of processing such as direct marketing.

  • Right to object to automated processing, including profiling – you also have the right to object or question automated processing or profiling.

  • Right to judicial review – in the event that Crai Valley Eco Lodges Ltd refuses your request under rights of access, we will provide you with a reason as to why. You have the right to challenge this with the Information Commissioner Office.

You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

If you would like to exercise any of your rights as a data subject you can do so by contacting us at craivalleyecolodges@gmail.com.

Addressing compliance to the GDPR

To ensure that we comply with the accountability principle of the GDPR, we have ensured that:

  • The legal basis for processing personal data is clear and unambiguous;

  • There is appropriate communication with all clients regarding the data held;

  • The Controllers and Processors involved in handling Personal Data understand their responsibilities for following good data protection practice;

  • Routes are available to Data Subjects wishing to exercise their rights regarding personal data, and that such enquiries are handled effectively;

  • Regular reviews of procedures involving Personal Data are carried out by our directors; and

  • Privacy by design is adopted for all new or changed systems and processes.

Changes to this policy

Any changes we make to our privacy policy in the future will be posted on this page, and where appropriate, notified to you by email.

We keep our privacy statement under regular review. This privacy policy was last updated on 24th May 2021.

Concerns and Questions

GDPR is new legislation and how the rules are interpreted will continue to evolve. We will continue to adopt best practices to ensure on-going compliance. Any concerns or questions relating to the way in which we process data should be raised via email to craivalleyecolodges@gmail.com. The issues will then be investigated and a response will be sent within 28 days of receipt of the email.