TABLE OF CONTENTS
SECTION 1 GENERAL
1.2 What this Policy is for
SECTION 2 WHEN WE USE YOUR PERSONAL DATA
2.1 Our website
2.2 Age Verification
2.3 Booking a room, table or event
2.4 During your stay
2.5 Making a restaurant booking
2.6 Payments and Refunds
2.7 Wi-Fi Services
2.9 Submitting Queries, Complaints and Compliments
2.12 Ban on Premises
SECTION 3 COOKIES POLICY
3.2 How to Control and Delete Cookies
SECTION 4 DATA RETENTION
4.1 How long do we keep your personal data for
SECTION 5 DATA PROTECTION LAW
5.1 Protecting Your Data
5.3 Being Accountable
5.4 Respecting the Law
5.5 Your Rights
5.6 Responding to your Questions
SECTION 6 HOW TO GET IN TOUCH
6.1 Who we share personal data with
6.2 Contact information
SECTION 7 INTERPRETATION
SECTION 8 AMENDMENT
This Policy describes how the Grail Court Hotel Ltd processes your personal data, as a controller. Our address is 164b Station Street, Burton-On-Trent, DE14 1BN, United Kingdom. Please see ‘How To Get In Touch’ below for contact details for specific matters.
You have the right to object to some of the processing which Grail Court Hotel carries out. More information about your rights and how to exercise these is set out in the Chapter 4 ‘Your Rights’ below.
This policy applies to;
- Callers and
- Other Customers
And anyone visiting, contacting or using our;
- Guest Relations Team and
This policy refers to personal data, which is defined as information concerning any living person that is not already in the public domain.
The General Data Protection Regulation (GDPR) seeks to protect and enhance the rights of people. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the unrestricted movement of personal data within the EU. It should be noted that the GDPR does not apply to information already in the public domain.
1.2 WHAT IS THIS POLICY FOR?
This Policy explains what we do with your personal data and the steps we take to keep it secure. It explains when and how we collect personal data, who we share it with, how we process it and what your rights are in respect of the personal data processing we carry out.
WHEN WE USE YOUR PERSONAL DATA
We believe that a good customer experience means;
- Providing you with the products and service your want
- Giving you relevant information about our company, brands, products and special offers
- Keeping you safe whilst we entertain you.
To do these things well, we need to process some of your personal data. Within this chapter you get an insight into some personal data required when you use various functions.
2.1 OUR WEBSITE
Besides cookies, we use other information about your website visits to learn more about what our customers like and dislikes, work out what changes we can make to improve our business and target our direct marketing.
2.2 AGE VERIFICATION
We are required by law to ensure we do not sell alcohol to anyone under the age of 18. As a company we support the Challenge 21 scheme.
The Challenge scheme aims to discourage underage drinking. They encourage hospitality industry staff to ask anyone lucky enough to look like they’re under 21 for proof of their age before we serve them. If you’re one of the lucky ones, please do not be offended if one of our staff asks you for your proof of age.
A photo-card driving license, passport or military ID are valid proof of age for the scheme. If you do not have these documents, check the scheme website to see what else we can accept.
Further details of Challenge 21 can be found at https://beerandpub.com/campaigns/challenge-21/
2.3 BOOKING A ROOM, TABLE OR EVENT
We will ask for your name, gender, address, telephone number and email address. We use this information to make and confirm your booking. If you book online, we will also record your IP address. We use this information to check that the booking is genuine.
If you’re making a booking on behalf of a work colleague, we will ask for information about your company and the guest, so that we can invoice and bill the correct party and welcome your colleague when they arrive at our hotel.
Please also tell us about any preferences or specific needs you or anyone in your party has, especially dietary preferences, food allergies or access needs. We will use this information to make preparations for your visit and look after you whilst you stay with us.
If you are celebrating a special occasion, we may ask for your age or date of birth, or about your special event. This is so that staff can make your celebration as special as we can.
We also use booking information to learn more about what our customer like and dislike, work out what changes we can make to improve our business and target our direct marketing.
More information about IP addresses can be found at https://en.wikipedia.org/wiki/IP_address
2.4 DURING YOUR STAY
Upon arrival we will use your personal information store in our property management system to confirm your booking and identify you. This is the information collected when making the reservation or if you booked via a third party such as booking.com.
We also record your itemized spending during your stay for the purposes of billing. This information is also recorded to comply with financial reporting requirements.
For oversea visitors, we are required by local law to collect your passport number and next destination. We will only hold passport information for 12 months as required by law.
2.5 MAKING A RESTAURANT BOOKING
There are several ways of making a restaurant booking with us, including the following:
- Over the phone with our reception teams
- By email to our reception teams
- By coming into the hotel and making a booking with our reception teams.
Personal information such as your name, telephone number and email address will be required when making a booking.
2.6 PAYMENTS AND REFUNDS
If you want to pay for your purchases with a payment card, we will ask for your name, the card number, expiry date and security number (CVC).
For security reasons, we keep all card payment details secured safely on our password protect computers until the end of your visit.
2.7 WIFI SERVICES
We will ask for your name, email address, date of birth, gender, home address and mobile number so that we can register you for the service.
When you first register, and then each time you connect to the Wi-Fi service, we get information directly from your device and from the equipment used to provide the Wi-Fi service that describes where, when and how you registered, or where when and how you connected to the service. We use the date, the time, the name and your device’s MAC address to provide the Wi-Fi service and to make the service as reliable as possible.
We also use information about your use of our Wi-Fi service to learn more about what our customers like and dislike, work out what changes we can make to improve our business and target our direct marketing.
Important: If you don’t want your device to auto-connect to the Grail Court Hotel Wi-Fi service, don’t select the ‘connect automatically’ option when you sign up
You must check you have not saved your Grail Court Hotel Wi-Fi connection settings before you give your device to someone else, otherwise they may be able to access some of the personal data used to provide the Wi-Fi service.
If you choose to connect automatically and then change your mind, you can delete the Wi-Fi connection or turn off Wi-Fi on your device.
Information about MAC addresses can be found at https://en.wikipedia.org/wiki/MAC_address
Knowing what interests our customers the most helps us build better products, brands and services and accurately targets our direct marketing and advertising campaigns. Therefore, we use profiling to help us find out as much as we can about what our customers like and expect from us.
Profiling involves comparing what we know about you with what we know about other customers and people with similar likes or interests. The personal data we use in our profiles includes:
- Demographic information, such as your age, gender, address and postcode
- Purchase information, such as what you bought, how you paid and whether or not you took advantage of a discount
- Your likes and dislikes, such as what you drink, what you eat, whether or not you take advantage of special offers and whether or not you like what we post on our websites and our social media pages
- Information about family events and special occasions, such as the dates of birthdays, weddings, and anniversaries
- Information about your visits to our hotel and website, such as when, how often and how long you stay for.
- Information about your use of our services and whether or not you participate in our promotions, such as our Wi-Fi service
- Information about how you respond to our marketing and advertising campaigns, such as whether or not you read our marketing messages, see our adverts on social media or take up any of our special offers
If we get our profiling right, you will enjoy our products, services and brands more and more as we make improvements to them based on what we learn about you. And if you have signed up to receive direct marketing, you will get the special offers that we think will most appeal to you.
Profiling helps us to improve our business and customise what and how we communicate to you. However we don’t profile people who don’t want to be profiled – so if you don’t want us to use your personal data for these purposes, tell us and we won’t.
2.9 SUBMITTING QUERIES, COMPLAINTS AND COMPLIMENTS
We will ask for your name, telephone number and email address so that we can identify you and discuss your enquiry with you. We will also ask for any other relevant information, such as further information about your, other members of your party or your purchases. We will use this information to take your enquiry and respond appropriately to it.
We use CCTV to help keep our guests and staff safe, so your image may be recorded when you visit us. We display signs at our hotel to tell you when CCTV is being used. If no incident take place, the CCTV images will not be looked at before they are deleted. However, if an incident occurs, we will review the CCTV image to see if they contain footage that relates to the incident.
In the event of an emergency at our hotel recordings may be used in any legal and insurance claim-related proceedings that follow.
If you are unfortunate enough to be involved in an accident on our premises, we will ask for your name, address, phone number, age and any other details that relate to the accident, such as information about any relevant health conditions you have or any injuries or treatments you receive.
2.12 BAN ON PREMISES
At the Grail Court Hotel, we pride ourselves in great customer service and keeping everyone staying, visiting or working here safe. Therefore, we are members of the Pubwatch National Scheme. General information about Pubwatch schemes can be found on the national Pubwatch sceheme website. You can find out more about a local Pubwatch scheme by asking a member of our staff or visiting their website on http://www.nationalpubwatch.org.uk/
We do not ban people from our hotel unless it is absolutely necessary to do so. Sometimes we have to impose a ban after serious anti-social, dangerous or criminal behavior has taken place. If you are banned from our hotel, as part of the Pubwatch Scheme, we will use your name, photos of you and any other personal details that we need to identify you and which we can use lawfully, to enable our staff to record and enforce the ban and to let other Pubwatch members know about it.
A cookie is a piece of text which asks permission to be placed on your computer’s hard drive. Once you agree (or your browser agrees automatically if you have set it up that way), your browser adds that text in a small file.
A cookie helps analyse web traffic or lets website operators know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
3.2 HOW TO CONTROL AND DELETE COOKIES
We know that people have concerns about cookies, but we believe that the benefit that you and we gain from their proper use is worthwhile.
You can delete the files that contain cookies – those files are stored as part of your internet browser. If you wish to restrict or block the cookies which are set by Grail Court Hotel’s website, or indeed any website, or if you wish to receive notifications of cookie placement requests or decline cookies completely, you can do this through the browser settings. The Help function within the browser should tell you how. Please be aware that declining or denying cookies may prevent you from being able to use the website to its highest capability.
If you would like more information about how cookies work, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to disable cookies on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile device you will need to refer to your manual.
4.1 HOW LONG WE KEEP YOUR DATA FOR
|Information||Is kept until|
|When we need to verify your age||No information is retained, unless required for another person in this list|
|When you book a room, table or function||Booking information that you provide directly to the hotel is held for 1 year from the end date of the booking.|
Contractual paperwork relating to bookings is kept for 2 years after the contract has concluded.
When you make a booking online, we keep booking information for 13 months from the date of your last booking.
|When you make a payment or request a refund||6 years from the date of the transaction. Payment card details are not retained unless they are faxed to us by your booking agent, in which case they are held until the booking has been completed and paid for.|
|When you use our Wi-Fi service||13 months from the date you last used our Wi-Fi.|
|When we carry out profiling||13 months from you last know interaction with us.|
|When you submit queries, compliments or complaints||1 year from the date of the last correspondence on the matter|
|When we record CCTV images||CCTV recordings are kept for 31 days’, measured from the date of the recording. However, in some situations these periods are extended.|
|When an accident occurs||6 years from the date of the accident, or 3 years from the age at which a child becomes an adult, or 3 years from the date of settlement of a claim, which occurs first.|
|When we impose a ban||Please refer to the information sent to you when the ban was imposed or to the local Pubwatch scheme rules on the Pubwatch scheme website.|
|When you make a request to exervise your data protection rights||Information about your request and our response will be kept for 12 months from the date of our final response to you.|
|When information is relevant to a legal or insurance-related action, proceeding or claim||6 years from the date that the action, proceeding or claim is settled.|
DATA PROTECTION LAW
We have adopted the measures that we believe are necessary to comply with the General Data Protection Regulation into UK law.
We have also adopted the measures that we believe are necessary to comply with the Privacy and Electronic Communications Regulations 2003. This law sets out an additional set of rules that we must follow whenever we communicate with you via any of our websites and apps, or by telephone, fax, email or text message.
5.1 PROTECTING YOUR DATA
We protect the personal data we hold from theft, accidental loss, corruption and other threats that would have a negative impact on our customers. These protective measures include;
- Not collecting personal data that we don’t really need
- Destroying or anonymizing personal data securely when we do not need it any more
- Only allowing our staff and our suppliers to process the personal data they need to carry out their duties
- Encrypting personal data to render it useless to anyone who is not authorized to access it
- Making sure that staff are trained on how to handle personal data safely and securely and are fully aware of their personal responsibilities
- Binding our suppliers and partners to the same standards and duty of car that we hold ourselves to
- Protecting our websites, networks and IT systems from unauthorized access and from threats such as denial of service attack, viruses and malware.
- Making periodic checks that all of these measures are working well and making improvements to them when we think we can do better
5.2 BEING ACCOUNTABLE
As well as the security measures mentioned above, we have a team of people whose job it is to make sure that Grail Court Hotel does the right thing the right way whenever we’re processing personal data. This team includes a Data Protection Officer, who can be contacted using the contact details in Section 6.
There are a set of checks we apply to make sure we process personal data fairly and transparently. These include;
- Providing you with clear and accurate information about why we need your personal data, what we do with it and how long we keep it for.
- Checking that our business interests don’t unfairly and unreasonably impact upon you or your rights
- Identifying personal data processing risks and reducing them to an acceptable level
- Responding honestly, clearly and promptly to enquiries we receive from you or from the Information Commission’s Office.
5.2 RESPECTING THE LAW
The ICO have published a helpful guide to lawful bases for the general public, which can be found on ICO’s website.
|When you use our website||We process this personal data because it is in our legitimate interests to provide a fully-functioning, accessible and useful website to our customers|
|When we need to verify your age||We process this data to satisfy our legal obligation to not sell alcohol to anyone under the age of 18. We also do so because it is in our legitimate interests to ensure that we do not market alcohol to anyone under the age of 18|
|When you make a booking, payment, request for refund, use our Wi-Fi services or we send you service-related communications||We process personal data for these core business activities firstly, to set up the contract that commits us to providing you with the services you want, and secondly to provide the service to you as agreed|
|When we carry out profiling||We believe it is in everyone’s interest that we seek to learn from our customers to improve the relevance, appeal and value of the products, services and brands we offer.|
This helps our business to continue to prosper, so this processing is a legitimate interest for us.
|When you submit queries, compliments and complaints.||We receive and respond to lots of different types of enquiries. Sometimes our processing will be necessary for us to meet the terms of the contract we have with you.|
Otherwise we do so because it is in our legitimate interests to allow you to tell us what you think of our services, what we do well and what you think we can improve on.
|When we record CCTV images, when an accident occurs and when we impose a ban.||We record accidents primarily for compliance with our legal obligations.|
We use CCTV monitoring because we think this is a proportionate approach to deterring the types of situations that present a safety risk to our guests and staff. If these deterrents are unsuccessful, we may impose a ban on visiting our hotel, in order to protect our guests and staff. This processing is carried our because it is in our legitimate interests to do so.
5.4 YOUR RIGHTS
Data protection law give you certain rights and as a responsible data controller, we are committed to uphold these for you:
|Name of right||Description||How to make a request|
|Access||You have the right to be sent information about the personal data we have about you and the description of what we are using it for. This is also known as ‘subject access request’, ‘SAR’ or ‘DSAR’||Send requests to email@example.com|
|Rectification||You have the right to ask us not to process inaccurate personal data or to ask us to correct it||Send requests to firstname.lastname@example.org|
|Erasure (‘right to be forgotten’)||You have a right in certain situations to ask us to delete your personal data||Some conditions and limits apply to these rights; you can find our more about these on the ICO website|
|Restrict processing||You have a right in certain situations to ask us not to process your personal data|
|Object to processing||You have the right in certain circumstances to object to the fact that we are processing some of your personal data.|
|Portability||You have the right in certain circumstances to ask us to pass some of your personal data to another personal controller on your behalf|
|Complain||You have a right to lodge a complaint with the UK Information Commissioner’s Office or in some situations, another European Union data protection authority.||Send your complaints to the ICO|
|Withdraw consent||Most of the personal data processing we do does not rely on your consent to make it lawful but any consent that we are relying on can be withdrawn by you if you decide you wish to do so.|
Detailed information about all these rights can be found on the ICO website.
5.5 RESPONDING TO YOUR QUESTIONS
When you notify us that you want to exercise any of your rights, we will acknowledge your request as soon as possible and ask for any information we need to verify you identity: if we do not already know who you are, we will ask you to send us a copy of your passport or photo-card driving license, so that we can check your name, address and signature.
Once we have confirmed your identity, we will validate your request then gather together the information we need to be able to respond fully to it.
Whilst we always try to carry out this work as quickly as possible, it may take us up to 30 days to respond to you in full. If your request is particularly difficult to respond to, we may ask you for any further information that will help us respond more quickly or ask you if there is some information that you want particularly urgently. We may also respond to your request in phases, as relevant information becomes available.
If we can not satisfy your request within 30 days, we will write to you to tell you why, and when we expect to be able to provide you with a full response. If for any reason we decide that we should not respond in the way you have asked us to, we will provide you with our decision and our reasons for reaching within 30 days.
HOW TO GET IN TOUCH
6.1 WHO WE SHARE PERSONAL DATA WITH
We will share your personal data if we are required to do so by law or by a regulatory authority. For example, we may have to share your personal data for the detection or prevention of crime, fraud or money laundering, or to allow a regulator or ombudsman to investigate a complaint you have submitted to them.
We will share your personal data if we need to do so to protect our business interests, such as to enforce the terms of a contract, pursue an overdue debt or defend our legal rights.
Occasionally, we may need to share your data to protect the rights of other organisations or people. In these cases, we will try to contact you to seek your consent first, but this may not be possible, especially in the event of a medical or other emergency.
6.2 CONTACT INFORMATION
If you want to discuss how we use your personal data or get in contact with our Data Protection Officer
- Write to us at Grail Court Hotel, Station Street, Burton-Upon-Trent, DE14 1BN
- Send us an email to email@example.com
- Call us on 01283 741155
Company Name: Grail Court Hotel
Company Personnel: all employees, workers, contractors, agency workers, consultants, directors, members and others.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action signifies agreement to the Processing of Personal Data relating to them.
Data Controller: the person or organization that determines when, why and how to process Personal Data. It is personable for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO or refers to the Company data privacy team with responsibility for data protection compliance.
EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Privacy Guidelines: The Company privacy/GDPR related guidelines provided to assist in interpreting and implementing this Privacy Standard
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Related Policies: the Company’s policies, operating procedures or processes related to this Privacy Standard and designed to protect Personal Data.
Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
The hotel reserves the right to make amendment(s) and renew the contents of this handbook on an ‘As Required’ basis. Amendments will be announced through our hotel notice board or website.
Updated in March 2018