If you have any questions about this policy or about the data that we hold (or may hold) for you, please get in touch with us.
If we need to update this policy (for example because a change in the law requires us to do so) we will publish the new version on our website, so we recommend you check our website periodically to see if we have needed to make any changes that might affect you.
This policy applies to you if we obtain your personal data. This may occur if you contact us, if you visit us, if you work with us or for us.
We will never sell your personal data and we will not share it with people or organisations that we work with without your permission. No privacy and security system can be guaranteed to be perfectly secure at all times, but we have put in place procedures and systems designed to keep your personal data secure.
Your personal data (by which we mean information relating to you, for example, could be your name, address, date of birth, national insurance number, telephone number, and/or your email address) may be collected and used by us. We ask that you let us know if ever any of the personal data that you provide to us changes or if you become aware that data that we may hold for you is inaccurate.
We collect personal data in connection with specific activities concerning the work that we do with you or for you, and/or work which you do for us.
The personal data that you provide to us may include identification information, and if you visit us you may be recorded on our CCTV system.
The data that you provide to us or data we may obtain in the course of working with you or for you may include your personal details, financial information and/or medical information.
Your privacy is important to us, so we will always seek to keep your details secure. If you are happy for us to get in touch with you to provide you with details of the services that we offer which may be of interest to you, then, with your consent we may get in touch with you from time to time.
If you agree to receive marketing information from us you can change your mind at any time thereafter. However, if you tell us you do not want to receive marketing communications, then you may not hear about services that we offer which may be of interest to you. The choice is yours and we will respect your preferences.
The Internet is not a secure medium. However, we have put in place various security procedures to help ensure that your personal information is secure. We also keep your information confidential. Our internal procedures cover the storage, access and disclosure of your information.
When we hold your personal information, you are entitled to know what details we hold about you and why we hold it in the first place. If there is anything that you would like to know about the information that we hold about you please let us know and we will try to help. If you ask us to provide you with details of the personal data that we hold for you then we will do so in a structured and easy to use format.
You have the right to make sure that the data that we hold for you is correct. If you believe that the personal data that we hold for you is inaccurate then please let us know. If we have got something wrong we will try to correct it quickly for you.
If we are holding your personal data because you have consented to us doing so and, if you withdraw your consent, you are entitled to ask that we delete your data and we promise to do so (provided we do not need to retain the data for some other reason, in which case we will explain our reasons for retaining your data so that you know what we are doing and why).
If we have held your data because we have worked with you or for you, or if you have worked for us, we will only hold onto your data after the work between us is completed for as long as is necessary.
If you are concerned that we may be holding your personal data when there is no longer any need or proper reason for us to do so and you wish us to delete your data, please let us know.
For more information about your rights in relation to your personal data you can contact the Information Commissioner via the Information Commissioner's Office website at www.ico.org.uk
In consideration of the parties' respective obligations set out herein, which the parties acknowledge are required for compliance with the GDPR (as defined below), Moon & Benney Ltd t/a Group Travel and the recipient of this letter ("Customer"), incorporating the terms and conditions in this Appendix 1 (GDPR Requirements) ("Letter"), hereby agrees that these terms and conditions shall from the date of the Letter apply to the provision of services by the customer to Moon & Benney Ltd ("Services") in addition to any agreements previously entered into between the parties in relation to the provision of the Services ("Agreements").
1. Moon & Benney Ltd t/a Group Travel shall protect the rights of Data Subjects and duly observe all its obligations under the Data Protection Laws which arise in connection with the provision of the Services and the Agreements.
2. Moon & Benney Ltd t/a Group Travel Processes Personal Data for the customer as a Data Processor, we shall
2.1 process the Personal Data solely on the documented instructions for the customer, including the Agreements, for the purposes of providing the Services;
2.2 process only the types of Personal Data, relating to the Categories of Data Subjects, and in the manner required to deliver the Services in the manner agreed by the Parties;
2.3 designate a data protection officer if required by the Data Protection Laws;
2.4 take all Protective Measures including those required by Article 32 of the GDPR to ensure the security of the Personal Data;
2.5 take all reasonable steps to ensure the reliability and integrity of any Moon & Benney Ltd t/a Group Travel Personnel who may have access to the Personal Data, and to ensure their treatment of the Personal Data as confidential. The steps required by this paragraph 2.5 shall include (but not limited to) ensuring that Moon & Benney Ltd t/a Group Travel Personnel handling Personal Data:
2.5.1 have their access to Personal Data limited to that which is strictly necessary for their role in the performance of the Services;
2.5.2 are bound by confidentiality obligations no less onerous than those imposed on Moon & Benney Ltd t/a Group Travel in this Appendix 1.
2.6 not permit any third party to Process the Personal Data ("Sub-Processor") without the prior written consent of the customer, such consent to be conditional upon fulfilling the conditions referred to in Article 28 (2) and (4) of the GDPR;
2.7 confirm in writing that it has conducted adequate due diligence on any proposed Sub-Processor to ensure that it is capable of providing the level of protection for Personal Data required by this Appendix 1 including sufficient guarantees to implement all Protective Measures in such a manner that all Processing provided by the Sub-Processor shall comply with Data Protection Legislation and the terms of this Appendix 1 and provides evidence of such due diligence on request to customer or a Supervisory Authority;
2.8 remain fully liable for all acts or omissions of any Sub-Processor; and
2.9 not Process or transfer the Personal Data outside the European Union (which shall, for the avoidance of doubt, include the United Kingdom despite any departure of the United Kingdom from the European Union subsequent to the date of this Letter), whether in accordance with GDPR Article 46 or LED Article 37, without: (i) customer prior written consent to be given or withheld at the customers absolute discretion; and (ii) ensuring the Data Subject has enforceable rights and effective legal remedies;
2.10 Notify the customer immediately if it:
2.10.1 receives a data subject access request (or purported data subject access request);
2.10.2 receives a request to rectify, block or erase any Personal Data;
2.10.3 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Data Protection Laws;
2.10.4 receives any communication from the Information Commissioner's Office (ICO) or any other regulatory authority in connection with Personal Data processed under the Agreements;
2.10.5 receives any other request, complaint or communication relating to either party's obligations under the Data Protection Laws; or
2.10.6 becomes aware of a Personal Data Breach, threatened Personal Data Breach or suspected Personal Data Breach, such notice to be addressed to Moon & Benney Ltd t/a Group Travel, Data Protection Officer [firstname.lastname@example.org] and include all information required by Moon & Benney Ltd t/a Group Travel to comply with its obligations under the Data Protection Laws
2.11 include the provision of further information for the customer in phases, as details become available following a notification under clause 2.10;
2.12 provide the customer with full assistance in relation to any obligations under Data Protection Laws and any complaint, communication or request made under clause 2.10
2.13 provide any assistance reasonably requested by the customer in relation to all preparation of any Data Protection Impact Assessment prior to commencing any processing; and
2.14 maintain complete and accurate records and information to demonstrate its compliance with this clause 2;
2.15 maintain all records required by Article 30 (2) of the GDPR;
2.16 provide any assistance reasonably requested by the customer in relation to: (i) any communication received under clause 2.10 above, as well as any equivalent communication received the customer directly; and (ii) any Personal Data Breach, including by taking any appropriate technical and organisational measures directed by the customer.
3. Nothing within this Letter or the Agreements shall relieve Moon & Benney Ltd t/a Group Travel of its own direct responsibilities and liabilities under the GDPR.
4. The customer and Moon & Benney Ltd t/a Group Travel agree to take account of any guidance issued by the Information Commissioner's Office, where the customer may give 30 working days' notice to Moon & Benney Ltd t/a Group Travel amend any Agreement to ensure that it complies with any guidance issued by the Information Commissioner's Office
5. For the purpose of this Appendix 1: "Data Protection Impact Assessment" means an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data; "Data Protection Laws" means applicable legislation protecting the privacy and personal data of natural persons, including in particular the Data Protection Act 1998 (and, from 25th May 2018, the GDPR), and the Data Protection Act 2018 once this enters into force, Law Enforcement Directive (Directive (EU) 2016/680 (LED), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (each amended, updated, superseded or re-enacted from time to time by relevant Supervisory Authorities; "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; "Protective Measures" means appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it; "Moon & Benney Ltd t/a Group Travel Personnel" means all directors and employees, at Moon & Benney Ltd t/a Group Travel engaged in the performance of its obligations under the Agreements; and The expressions "Process", "Data Processor", "Data Controller", "Personal Data", "Personal Data Breach", "Supervisory Authority" and "Data Subject"