GDPR Policy - DATA PROTECTION ACT 1998 & GDPR ACT 2018
All serviced and self-catering accommodation premises must keep a record of all guests over the age of 16. The record should include their full name and nationality.
We must keep each guest’s details for at least 12 months, and to comply with the Immigration (Hotel Records) Order 1972 we must, as a minimum, collect the following information from guests on their arrival:
(1) full name
For all who are not British, Irish or Commonwealth guests:
(1) passport number and place of issue (or another document which shows their identity and nationality)
(2) details of their next destination (including the address, if known) on or before departure.
Churchill Guest House Exemptions: we do not need to notify the Information Commissioner if we are only holding personal data for one or more of the following core business purposes:
(2) marketing and public relations provided that we hold only the data necessary on the people necessary for us to do our own advertising
(3) we do not disclose information to any third party not involved with our advertising without the consent of the person whose data it is
(4) we only keep the personal information as long as it is necessary to do the advertising
(5) staff administration (subject to similar conditions as advertising)
(6) accounts and financial records (subject to similar conditions as advertising).
Normally if we are going to hold information on you for any purpose other than handling the booking, such as later marketing, we need to obtain your consent. The Act does not specify what form this consent has to be in, it may be an informal, spoken ‘yes’, but we should give you enough information for you to make an informed decision (e.g., what personal information we intend to hold and why). We must keep all consents on record. Churchill Guest House has a Guest Registration Form/Data Protection/GDPR consent form that all guest are asked to sign on arrival.
Data Protection 1998
(1) Right of access
You have a right to know what information we are holding on you, why we are holding it (we are allowed to charge up to £10 to provide you with this information upon request). If we receive a written request from you for this information (with the appropriate fee), we must respond within 40 days stating:
(a) whether we hold any personal data on you, and
(b) what the data is, the reason we are holding it and those to whom it has/may be disclosed, along with an intelligible copy of the information and details of the manner in which it was collected.
(2) Right to prevent processing for the purposes of direct marketing:
If we receive a written request from you to cease using your personal data we hold on you for direct marketing, we must do so.
(3) Right to prevent processing likely to cause damage or distress:
If we receive a written request from you to cease using your personal data we hold on you because it is causing, or likely to cause, substantial damage or distress to you or another, we must do so.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA). The main changes are:
(1) The Right to be Forgotten:
You can, at any time, request that we remove all your personal data from our system. If you have previously agreed that we can provide your data to a third party, we must also stop doing this if we receive a Right to be Forgotten request. However, it is important to note that any Right to be Forgotten request does not override our requirements to hold information under other legislation. For example, we are required by law to keep financial records for seven years, therefore you cannot request that we delete records of any financial transactions undertaken in the last seven years. Churchill Guest House will exercise your right to be forgotten if it is no longer a legal requirement for us to retain any data on you. You may request this in writing and we will write back to you to confirm your data deletion or the need to keep it under law.
(2) Improving Consent and Withdrawal of Consent:
The conditions for consent have been strengthened so that we must be clear and upfront with our customers about what exactly you are consenting to when you sign-up. We must also make it easy for you to withdraw your consent at any time. Churchill Guest House will ask you to sign a consent form on arrival. If you wish to withdraw consent simply email us at CHURCHILLGUEST@GMAIL.COM and we will acknowledge your request and notify you accordingly.
(3) Right to Access:
The GDPR also expands your rights to access the information that we hold on you. This has two parts:
(a) on your request, we are required to inform you if personal data concerning you is being processed, where and for what purpose.
(b) if requested, we must provide a copy of all the personal data we hold on you electronically and free of charge.
(4) Notification of Data Breaches:
The GDPR requires us to notify the Information Commissioners’ Office within 72 hours of first having become aware of any breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, we are required to notify you “without undue delay” after first becoming aware of a data breach. In the event of a breach we will do this in writing to your last known address given to us at the time of your booking.