HOW WE KEEP YOUR DATA AND INFORMATION
OUR COMMITMENT TO PROTECTING YOUR PRIVACY
We have published this notice to help you understand
- How Heythrop Park Limited use your personal data;
- Who we share your information with, why and on what basis; and
- What your rights are.
If we make changes to this notice we will notify you by updating it on our independent website and reception.
“Personal data” means any information collected and logged in a format that allows you to be identified personally, either directly (e.g. name) or indirectly (e.g. telephone number). It does not include data where the identity has been removed (anonymous data). Before providing us with this information, we recommend that you read this document describing our customer privacy protection policy.
WHAT PERSONAL DATA WE COLLECT
This notice sets out the ways in which we may process your personal information when you stay with us as a guest in accordance with our legitimate interests set out in this notice and any other lawful bases for processing we rely on. A printed copy of our general terms & conditions is available at the front desk. To enable us to register you as a guest and to help us improve your experience while staying with us, we will ask you to provide some personal information which may include:
- Contact details (last name, first name, address, telephone number, email)
- Payment card details
- Passport information
- Our facilities use CCTV for safety and security monitoring purposes.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with a room in our hotel or use our facilities). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
HOW WE USE YOUR INFORMATION
The General Data Protection Regulation says that we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:
- CONTRACT – your personal information is processed in order to fulfil a contractual arrangement.
- CONSENT – where you agree to us using your information in this way e.g. for sending you information on hotel news and promotions
- LEGITIMATE INTERESTS – this means the interests of Heythrop Park Limited in managing our business to allow us to provide you with the best service.
- LEGAL OBLIGATION – where it is statutory or other legal requirements to share the information e.g. when we have to share your information for law enforcement purposes.
We use your information in a number of different ways, primarily to fulfil a contract and also provide excellent service to our customers.
The below set this out in detail, showing what we use the information we collect for:
- To manage your relationship with Heythrop Park Limited.
- To verify your guest status.
- To manage payment.
- Carrying out surveys and analyses of questionnaires and customer comments.
- To send you marketing related information.
- Managing claims/complaints.
- To carry out obligations arising from membership contractual agreements.
- To improve services, to input to our marketing program.
- For demographic profiling of our customer base, to assist promote of our services, and adapting and improving our products and services.
Information relating to your children
- We do not collect personal information from individuals under 18 years of age without the permission and consent of their parent or guardian.
Payment Card Details
- We collect and securely store your payment card information for administration purposes.
- In the interests of security and the prevention of crime, we may take a digital photograph of each guests’ passport.
Questions / Comments
- To collect feedback to improve our services and monitor customer experience.
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at firstname.lastname@example.org
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
You are entitled to request the following from Heythrop Park Limited, these are called your Data Subject Rights and there is more information on these on the Information Commissioners website www.ico.org.uk
- THE RIGHT TO BE INFORMED – The right to be informed about how your personal information is being used and processed (as described in this policy).
- RIGHT OF ACCESS – The right to access the personal information we hold about you.
- RIGHT TO RECTIFICATION – The right to request the correction of inaccurate personal information we hold about you and to have incomplete personal information completed
- THE RIGHT TO ERASURE (also known as the Right to be Forgotten) – The right to request that we delete your data, or stop processing it or collecting it, in some circumstances.RIGHT TO
- RESTRICTION OF PROCESSING – to restrict the processing of your personal information.
- RIGHT TO DATA PORTABILITY – to electronically move, copy or transfer your personal information in a standard form, or port elements of your data either to you or another service provider.
- RIGHT TO OBJECT – The right to object to the processing of your personal information
- THE RIGHT TO STOP DIRECT MARKETING messages, and to withdraw consent for other consent-based processing at any time.
- THE RIGHT TO COMPLAIN to your data protection regulator – in the UK, the Information Commissioner’s Office. We encourage you to contact us before making any complaint and we will seek to resolve any issues or concerns you may have. You can find out more information about the ICO at https://ico.org.uk/
If you have any general questions about your rights or if you want to exercise your rights or have a complaint, please contact us at email@example.com
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We will generally aim to respond to any requests made within one month of receipt of the complete and valid request. However, for complex requests, we may extend this time period by a further two months. We will let you know before the expiry of one month from the request if we seek to rely on an extension of time. We will, therefore, respond no later than three months from the date of receipt of the request.
WHO WE SHARE YOUR INFORMATION WITH AND WHY
Within Heythrop Park Limited, in order to offer you the best service, we can share your personal data and give access to authorised employees including:
- Leisure Club & Hotel staff
- IT departments
- Commercial partners and marketing services
- Legal services if applicable
- Generally, any appropriate person within Heythrop Park Limited for certain specific categories of personal data.
Information about our guests is an important part of our business and we do not sell this information to others. Heythrop Park Limited works with a number of trusted suppliers, agencies and businesses in order to provide you with the high-quality services you expect from us. Your personal data may be sent to a third party for the purposes of supplying you with services and improving your leisure club membership experience.
Some examples of the categories of third parties with whom we share your data are:
Heythrop Park Limited works with the business who support our website and other business systems.
We work with marketing companies who help us manage our electronic communications with you or carry out surveys and reviews on our behalf. If a customer has opted-in to receiving information regarding our goods and services, we may utilise a marketing company to send out such information. For further information see the ‘Keeping in touch with you’ section of this policy.
Heythrop Park Limited works with trusted third-party payment processing providers and banks in order to securely take and manage payments.
Debt Recovery and Fraud Prevention
We release your personal information on the basis that we have a legitimate interest in preventing fraud and money laundering when we believe release is appropriate to comply with the law; enforce or apply our contractual agreements; or protect the rights, property or safety of Heythrop Park Limited or our customers. This includes exchanging information with other companies and organisations for verification of identity fraud protection, credit risk reduction and debt collection.
Details of the personal information that will be processed include, for example, name, address, contact details, financial information, device identifiers including IP address and vehicle details.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We may also be obliged to send your information to local authorities if this is required by law or as part of an inquiry and in accordance with local regulations.
To improve our platform, prevent or detect fraud or abuses of our website and enable third parties to carry out technical, logistical, research or other functions on our behalf.
Outside the UK/EEA
KEEPING YOUR INFORMATION
If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We may need your personal information to establish, bring or defend legal claims. For this purpose, we will generally keep your personal data for seven years, to take into account our need to retain your personal data as a record of your stay with us for the purposes of our legitimate interests set out above (see “Situations in which we will use your personal information”), for example for any subsequent legal dispute and where we are required by law to retain the data. In particular, we may keep certain data, such as any health and safety incidents or records for a longer period of time to retain records of our compliance with our health and safety obligations.
The only exceptions to this are where:
- the law requires us to hold your personal information for a longer period, or delete it sooner;
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law;
- we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings
- have concluded and no further appeals are possible; or
- in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.
HOW WE SECURE YOUR INFORMATION
Heythrop Park Limited takes data security seriously, and we take appropriate technical and organisational procedures, in accordance with applicable legal provisions, to protect your personal data against illicit or accidental destruction, accidental alteration or loss, and unauthorised access or disclosure.
We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.
Our information security policies and procedures are aligned with widely accepted international standards, we apply the controls detailed in the Payment Card Industry Data Security Standard to all environments storing personal data. These standards are applied and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements.
To this end, we have taken technical and organisational measures:
- We have taken technical measures such as firewalls and encryption of computer and mobile device systems.
- When personal data is transferred encryption, technology is used.
- When you submit credit card data when making a reservation, SSL (Secure Socket Layer) encryption technology is used to guarantee a secure transaction.
- Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
- User ID / Password systems and procedures
POLICIES & PROCEDURES:
- We have measures in place to protect against accidental loss and unauthorised access, use, destruction, or disclosure of data.
- We place appropriate restrictions on the levels and type of access to personal information and have organisational measures such as user IDs/passwords to control staff access to personal data in line with their job requirements.
- We implement appropriate measures and controls, including monitoring and physical measures, to store and transfer data securely.
- We conduct Privacy Impact Assessments in accordance with legal requirements and our business policies.
- We undertake training for employees and agency contracted staff where appropriate.
- We require privacy, information security, and other applicable training on a regular basis for our employees who have access to personal information and other sensitive data.
- We take steps to ensure that our employees and agency contracted staff operate in accordance with our information security policies and procedures and any applicable contractual conditions.
- We require, through the use of contracts and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our security policies and procedures.
KEEPING IN TOUCH WITH YOU
We want to keep our customers up to date with information about special offers, benefits and improvements to our facilities and services.
When you engage with our marketing activities or use our facilities, either electronically online via the website or social media for example, or in person at the property, we will ask you if you want to opt-in to receive this type of promotional information. If you have consented to receive marketing, you may opt out at a later date.
If you decide you do not want to receive this marketing information you have the right to ask us not to process your personal information for marketing purposes. You can request that we stop contacting you for marketing purposes by contacting us directly or via the unsubscribe link within any marketing Email or SMS which you receive. You may continue to receive marketing information for a short period while your request is dealt with.
Heythrop Park Limited will not share your information with outside companies for their marketing purposes.
We reserve the right to contact our customers as necessary to fulfil the obligations and administration of our service. We will also communicate as deemed appropriate by Heythrop Park Limited in regard to any changes to the product, services and facilities of the hotel which may impact on you.
CHANGES TO HOW WE PROTECT YOUR PRIVACY
ACCESS, MODIFICATION & CONTACTING US
For the purposes of confidentiality and personal data protection, we will need to identify you in order to respond to your request. You will be asked to include a copy of two official pieces of identification, such as a driver’s license or passport, along with your request.
If your personal data is inaccurate, incomplete or not up to date, please send the appropriate amendments to the Data Privacy department as indicated above.
All requests will receive a response as swiftly as possible and in accordance with applicable law.