main logo

GDPR POLICY

General Data Protection Regulation


Rational

The GDPR is Europe's new framework for data protection laws and came into force on May 25th 2018; designed to modernise laws that protect the personal information of individuals.

Both personal data and sensitive personal data are covered by GDPR. Personal data refers to a piece of information that can be used to identify a person. This can be a name, address, IP address and so on. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.

The Data Protection Act is underpinned by eight important principles.

Personal data must:

1. Be processed fairly and lawfully

2. Be obtained only for specific, lawful purposes

3. Be adequate, relevant and not excessive

4. Be accurate and kept up to date

5. Not be held for longer than necessary

6. Processed in accordance with the rights of data subjects

7. Be protected in appropriate ways

8. Not be transferred outside the European Economic Area (EEA)

This policy applies to all people working/volunteering for Ivanhoe Guest House and helps protect Ivanhoe Guest House from some very real data security risks, including breaches of confidentiality.

Everyone who works for or with Ivanhoe Guest House has some responsibility for ensuring data is collected, stored and handled appropriately.

The Owners have ultimate responsibility for ensuring that Ivanhoe meets its legal obligations.


What information do we collect?

All serviced accommodation premises must keep a record of all guests over the age of 16 to comply with the Immigration (Hotel Records) Order 1972.

Ivanhoe Guest House must, as a minimum, collect the following information from guests on their arrival:

1. Full name

2. Nationality

For all Non-British, Irish or Commonwealth guests, we must also collect:

1. Passport number and place of issue (or other document which shows their identity and nationality)

2. Details of the guest’s next destination

We must keep each guest’s details for at least 12 months.

Ivanhoe Guest House may also need to gather and use a range of other information about individuals, suppliers, business contacts, employees and anyone we have a relationship with or may need to contact. This policy describes how this personal data will be collected, handled and stored to comply with the law.

Other information we may collect:

● Names of individuals/businesses

● Postal addresses

● Email addresses

● Telephone numbers

● Payment details

● Dietary requirements

● Car registration number (for guests using on-site parking)

● Plus any other information relating to individuals’ Data protection risks or relating to the Government’s Track and Trace requirements.


How we collect information

We collect and store any information you:

● Provide us with when you make a reservation

● Enter via our website

● Enter on any of our social media pages


Why we collect personal and non-personal information?

● To comply with any applicable laws and regulations

● To enable us to provide our service users with confirmation of their booking

● To enable us to tailor our service to meet the requirements of individual guests

● To ensure we are able to recoup costs and charges relating to guest bookings

● To personalise service-related notices and promotional messages


How we store, use, share and disclose your personal information

Our company is hosted on Great British Website’s platform, which allows us to sell our products and services to you.

Your data may be collected and stored through Hub Spot’s data storage, databases and general applications which use GDPR-compliant features.

Booking data is processed by Queensborough Group and the sub-processors which provide services in connection with the operation of our online booking system are HotelHost and Rackspace. They maintain appropriate security standards and procedures in relation to the collection, use and retention of Your Personal Information in order to prevent unauthorised access or disclosure.

Most direct card payments are processed using Stripe:

At Stripe, privacy, data protection, and data security are at the very heart of everything we do. We’re continuously working to reset the bar for ourselves in the security and data privacy realm, and view the GDPR as an opportunity for the entire industry to come together on this and improve.

GDPR compliance is comprised of many elements. Most of the GDPR compliance elements take place “under the hood” of an organisation as they relate to updates on how an organisation is processing personal data. These are some of the steps Stripe are performing for their users:

● Perform a gap analysis between the requirements imposed by the Data Protection Directive and the GDPR, as applicable to the company’s business operations.

● Review and update internal tools, procedures and policies where necessary.

● Revise data mapping and data inventory practices, and update where necessary, to comply with record retention obligations under the GDPR.

● Perform a dedicated gap analysis of privacy and data protection review tooling to meet the Data Protection Impact Assessment requirements.

● Update approach to international data transfers.

● Update contracts to reflect Art. 28 GDPR obligations as they relate to the company’s contracting parties.

● Review and, where necessary, revise relationships with vendors to meet the requirements of the GDPR to ensure that those third parties receive and process personal data in a lawful way.

● Update the company’s Privacy Compliance Program with continuous employee training to reflect the changes to be implemented for the GDPR.

All other card payments are processed using Square. Square protects its systems with industry-leading technology and security controls, including:

● Square performs data encryption within the card reader at the moment of transaction.

● Square’s software is developed using industry-standard security best practices.

● Square’s servers are monitored around the clock by dedicated security staff.

● Square’s employees act in accordance with security policies designed to keep your data safe.

Since Square itself is PCI compliant, they require account holders to validate PCI compliance. Merchants who use Square for all storage, processing and transmission of payment card data do not need to validate PCI compliance for those transactions.

Data will be held in as few places as necessary.

Staff will not create any unnecessary additional data sets.


How we communicate with you

We may contact you to answer enquiries, confirm your reservation, resolve problems or make amendments to your booking, collect deposits or monies owed, to send updates about our company and information about relevant local events, or as otherwise necessary to contact you to enforce any agreement we may have with you.

For these purposes we may contact you via email, telephone, text/instant messages and post.


Consent and how to withdraw

When you contact us to enquire about availability or to make a booking, we assume consent to contact you.

If we are going to hold information on you for any purpose other than completing your reservation, such as later marketing, we need to obtain your consent. The Act does not specify what form this consent has to be in, it may be an informal, spoken ‘yes’, but we should give you enough information for you to make an informed decision and must keep all consents on record.

Ivanhoe Guest House has a Guest Registration Form that all guest are asked to sign on arrival.

When we send out information or marketing emails, we give you the option to withdraw consent by responding to the email stating that this.

If you don’t want us to process your data anymore, you can tell us at any time by sending an email to ivanhoeguesthouse@outlook.com or by writing to us at Ivanhoe Guest House, 63 Cardigan Road, Bridlington, YO15 3JS.


General staff guidelines

The only people able to access data covered by this policy are those who need it for their work. Data will not be shared informally. If access to confidential information is required, employees can request it from the Owners, who will ensure employees understand their responsibilities when handing data.


Data Storage

When data is stored on paper: it will be kept in a secure place where unauthorised people cannot see it. When not required, the paper or files will be kept in a locked filing cabinet.

Paper and data printouts will be shredded and disposed of securely when no longer required.

When data is stored electronically: it will be protected from unauthorised access, accidental deletion and malicious hacking attempts via approved security software and a firewall.

Data will be protected by strong passwords that are changed regularly and never shared. If data is stored on removable media, it will only be uploaded to an approved cloud computing service. Data will be backed up frequently.

Laptops used to store data will be password protected and mobile devices like tablets or smart phones will be protected using pin codes or biometrics.

When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.


Data accuracy

The law requires Ivanhoe Guest House to take responsible steps to ensure data is kept accurate and up to date. For this reason, we will check your details with you if further bookings are made and will delete any email addresses from our database that are returned with an undeliverable message.


Subject access requests

All individuals who are the subject of personal data held by Ivanhoe are entitled to:

● Ask what information the company holds about them and why.

● Ask how to gain access to it.

● Be informed how to keep it up to date.

● Be informed how the company is meeting its data protection obligations.

If you would like to correct, amend or delete any personal information we have about you, you are invited to contact us at any time using the details below.

If you would like to know what information we hold about you, you can make a subject access request. Subject access requests should be made by email, addressed to the owners at ivanhoeguesthouse@outlook.com or by writing to us at Ivanhoe Guest House, 63 Cardigan Road, Bridlington, YO15 3JS.

Individuals will be charged £10.00 per subject access request.

The owners will aim to provide the relevant data within 14 days.

The owners will always verify the identity of anyone making a subject access request before providing any information.


Disclosing data for other reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, the Owners will disclose requested data once we have confirmed the request is legitimate.


Privacy Statement

Our website is held on a secure platform


Permission

We do not have a cookies options bar and we do not knowingly use cookies to gather any of your information.

Ivanhoe Guest House will never disclose any information to third parties that identifies you.


Third party/external cookies

Our site includes functions provided by third parties such as the social networks listed in the share function shown at the bottom of each post. Disabling these cookies will affect the functions offered by the third parties.

Policy Changes will be noted on the Information Page of our website.


Other websites

Our web site may contain links to other web sites which are outside our control and are not covered by this Privacy Statement.

If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours.


Policy Updates

We reserve the right to modify this policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on our website.


CCTV POLICY

Introduction

The purpose of this policy is to explain how information captured using CCTV is used and retained by The Ivanhoe Guest House and sets out your rights in relation to such information.


Purpose of CCTV

Closed Circuit Television Systems (CCTV) are used by The Ivanhoe Guest House and are installed in line with the requirements of the business, as set out herein, and in compliance with the General Data Protection Regulation.

The purpose of the CCTV Systems are as follows:

● Improving the safety and security of guests, visitors, employees and contractors by providing a means to investigate accidents and near misses so that risk management control measures can be implemented.

● Providing reassurance to staff and guests that control measures are in place relating to their safety and security.

● Providing assistance to local law enforcement authorities with reference to the investigation and prevention of crime (including counter-terrorism)

● Deterring persons from committing crimes and to enhance the opportunities for detecting those who do.

● Discouraging anti-social behaviour including alcohol and drug-related crime on or about the premises.


Access to CCTV Footage or Images

Access to the CCTV system and stored images is restricted to authorised Ivanhoe Guest House personnel only for the purposes set out above. However, in appropriate circumstances, CCTV footage may be accessed:

● By local law enforcement authorities, where The Doyle Collection is required by law to assist in the carrying out of an investigation into a crime or anti-social behaviour.

● By data subjects (or their legal representatives), pursuant to an access request where the time, date and location of the recordings is furnished to the hotel.

● By individuals (or their legal representatives) subject to a court order.


Retention Period and Security

The images captured by the CCTV is retained for a maximum of one month from the date of recording, except where longer storage of such images may be required to assist in any of the scenarios outlined above.

The images/recordings are stored in a secure environment with access strictly limited to those who are suitably authorised.


Access Requests

You have the right to request access to CCTV footage of you by sending an email to ivanhoeguesthouse@outlook.com or in writing to Ivanhoe Guest House, 63 Cardigan Road, Bridlington, East Yorkshire, YO15 3JS.

All requests will be dealt with in compliance with the duties and requirements imposed upon The Ivanhoe Guest House as data controllers under the GDPR.

Individuals requesting access to CCTV images may be required to supply the following to assist the data request:

● Adequate information to enable the information to be efficiently identified and located on our system.

● Sufficient information to establish that the applicant has a legitimate right to request access.

● Proof of identification through photographic identification, for example passport or driving license.


Updated November 2021

logo

© Ivanhoe Guest House | Site by: Sushi Creative