The General Data Protection Regulation (GDPR) 2018 regulates the processing of data relating to individuals. This includes the obtaining, holding, using or disclosing of such data and covers computerised records as well as manual filing systems and card indexes. The Company (Smarter Travel Limited) shall hold the minimum personal data necessary to enable it to perform its functions due to legitimate interests. All such data is confidential and needs to be treated with care, to comply with the law. We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining customers’ and employees’ confidence in ourselves. Any personal data which we collect, record or use in any way whether it is held on paper, on a computer or other media shall have appropriate safeguards applied to it to ensure that we comply with the Act. Smarter Travel Ltd is registered with the Information Commissioner (Ref. ZA298556).
1.2 Legitimate Interests
Smarter Travel Ltd, will where appropriate and allowed by law, rely on ‘legitimate interests’ as a lawful basis for handling personal data. In this case, ‘Legitimate Interests’ means the interests of the Smarter Travel Ltd, in how we conduct and manage our activities. We might refer to legitimate interests when we want to use your information in a way that we believe will benefit Smarter Travel Ltd and the services we provide, however, we cannot do something we think is in our legitimate interests if it causes undue harm to the person whose information we are using. We need to make sure we get the balance right in all cases and will let you know what our use of your data will mean for you.
1.3 Summary of Principles
The Company is fully committed to adhering to the Principles of GDPR, as set out in the Regulation. In summary, the Principles state that personal data shall be: • Processed lawfully, fairly and in a transparent manner in relation to individuals; • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and • To comply with the law, information shall be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
In terms of the Act, we are the ‘data controller’, and as such determine the purpose for which, and the manner in which, any personal data are, or are to be, processed. To assist in achieving compliance with the principles, the Company has appointed a Data Protection Officer (DPO) with specific responsibility for data protection within the company. Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
1.5 Data Security
All data processors and data controllers are responsible for ensuring that: • Any personal data they hold, whether in electronic or paper format, is kept securely; and • Personal information is not disclosed deliberately or accidentally either orally or in writing to any unauthorised third party. In accordance with Article 33, where a breach of GDPR has been recognised, individuals will be notified directly. A notifiable breach has to report to the relevant supervisory authority within 72 hours of Smarter Travel Ltd becoming aware of it. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. All company computers have a login system and each Travel Plan Contact Database is password protected, which allow only authorised staff to access personal data. Passwords on all computers are changed frequently. All personal and financial data is kept in a locked filing cabinet and can only be accessed by approved staff. When staff members are using the laptop computers out of the office care should always be taken to ensure that personal data on screen is not visible to strangers.
1.6 Personal Data
We will not use data for a purpose other than those agreed by data subjects (residents, employees, staff and others). If the data held by us are requested by external organisations for any reason, this will only be passed if data subjects (residents, employees, staff and others) explicitly consent. Also, external organisations must state the purpose of processing, agree not to copy the data for further use and sign a disclaimer agreeing to abide by GDPR and the Smarter Travel Ltd Data Protection Policy. The Company will monitor the data held for our purposes, ensuring we hold neither too much nor too little data in respect of the individuals about whom the data are held. If data given or obtained are excessive for such purpose, they will be immediately deleted or destroyed. The Company will always put our logo on all paperwork, stating their intentions on processing the data and state if, and to whom, we intend to give the personal data. We discourage the retention of data for longer than it is required. All personal data will be deleted or destroyed by us after two years from receiving said data has elapsed. Under Article 15, all individuals that the Company hold data on have the right to obtain from the controller confirmation as to whether or not personal data concerning the individual is being processed, and, where that is the case, access to the personal data and the following information; • The purposes of the processing; • The categories of personal data concerned; • The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; • The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; • The right to lodge a complaint with a supervisory authority; and • Where the personal data are not collected from the data subject, any available information as to their source. • Data must not be transferred to countries outside the European Economic Area without the explicit consent of the individual. The Company takes particular care to be aware of this when obtaining survey information via the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a website that can be accessed from outside the European Economic Area. If you ever wish to see your personal information we hold, please refer to section 1.8 so that arrangements can be made.
1.7 Purpose of Data
Your privacy is of the utmost importance to us. Because we gather certain types of information about residents/staff associated with Travel Plans, we feel you should understand fully the terms and conditions surrounding the capture and use of that information. This Policy discloses what information and/or data we gather, how we use it, and how to correct or change it. This includes information supplied to us by you through a third-party service, such as Facebook or Liftshare. If you have any questions in relation to our Policy please contact us on [email protected]We gather two types of information about data subjects: data that subjects provide through optional, voluntary data gathered through information derived mainly by postal/online survey questionnaires and journey plan posts throughout the Liftshare Network. Occasionally, we conduct surveys to understand better the travel needs of our audience in order to analyse current travel habits to and from regular destinations as well as to improve our features. We sometimes share the aggregated demographic information in these surveys with our clients or partners. We never share any information about a specific data subject gathered in a survey with any third party without that Member’s express consent. We do not, however, control the practices of our partners. If you have questions about how our partners use information about you please contact them directly (we will divulge information only as necessary to comply with English law). We use your data to create aggregate reports and carry out analysis of demographics and traffic patterns for our Clients and carefully selected third party partners in order compare travel data and to improve our Services. The personal type of data subjects that may be held by us would include: • Your address; • Your name; • Your email address; • Your work/education place or postcode; • Number of dependents; and • Whether a disability affects choice of travel habits. The personal data held by us will only be used for the following purposes: • Contacting purposes where the individual has won a prize. • Issuing of Travel Plan related incentives. • Personalised Travel Planning. • Research of travel habits and barriers to change. • Identify demographics of groups to tailor incentives and promotions. • Limited information on individual names will only be used when promoting winners of prize draws. • Responding to any queries raised by data subjects via letter, email, phone, website or social media channels. • Sharing of information to carefully selected third parties as to provide free incentive i.e. bike register kits. • Personnel Data of staff and clients associated with Smarter Travel Ltd will be subject to the Data Protection Policy of Richard Jackson Limited.
1.8 Viewing your record
One of the rules under GDPR gives you the right to see certain information held about you. Personal data is confidential and access is restricted. Under Article 15 an individual has the right to request copies of all their personal data known as a subject access request (SAR). In order to get a copy of their personal data, an individual has to make a request either verbally or in writing, provide sufficient information to identify themselves and the information they are seeking. Individuals can contact: Subject Access Request, Smarter Travel, 847 The Crescent, Colchester, Essex, CO4 9YQ or call (01206) 228800. Smarter Travel Ltd will respond to the SAR within one month of receiving. All SARs will be treated in the strictest confidence and will only be processed by authorised Smarter Travel Ltd staff in order to locate the information and process the SAR. Only information which is considered to be personal data will be released under a SAR. The anonymity of other individuals or other information which is not considered to be personal data may be protected, as appropriate, by redaction or omission in accordance with Article 15. In order to request information on behalf of another individual, Smarter Travel Ltd requires proof that you are acting with the authorisation of that individual. Therefore, some additional information is required. You have a right to object to the way in which we process your data. Where your data has been used for direct marketing this is an absolute right. If you have any complaint or concern relating to how we have handled your personal data, you can contact the Data Protection Officer in the first instance. The Information Commissioner’s Office has published guidance on raising a concern with an organisation.
1.9 Website Data
We create SmarterTravel for...