DATA PRIVACY STATEMENT
To ensure GDPR compliance Abbey House Hotel (Cumbria) Limited will:
- only act upon written instructions of our clients (normally the data controllers)
- be subject to a duty of confidence, and ensure the same of all relevant staff members
- ensure the appropriate measures are taken to ensure the security of the processing
- only engage a sub-processor on written consent of the data controller
- assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
- assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
- ensure to delete or return all personal data to the controller as requested at the end of any relevant contracts
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state
- train our staff to comply with these regulations
Our Direct Responsibilities under GDPR are to:
- only act on the written instructions of the controller (Article 29);
- not use a sub-processor without the prior written authorisation of the controller (Article 28.2)
- co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
- ensure the security of its processing in accordance with Article 32;
- keep records of its processing activities in accordance with Article 30.2;
- notify any personal data breaches to the controller in accordance with Article 33;
- employ a data protection officer if required in accordance with Article 37; and
- appoint (in writing) a representative within the European Union if required in accordance with Article 27
Our policy for controlling data is to:
- only collect & retain information necessary to transact with our customers and prospects
- ensure that revoked consent requests are managed with 30 days of revocation
- ensure to enable right to access within 30 days of request, unless otherwise specified in writing
- train our staff to comply with the regulation
Subject access requests:
Upon receiving a written subject access request Abbey House Hotel & Gardens will:
- ensure to verify the identity of the person requesting the information
- respond in writing within 30 calendar days with the requested information
- if requested, initiate the right to erasure process or correction within 30 calendar days
What Abbey House Hotel & Gardens will do should there be a data protection breach:
Should there be a data breach, our staff are trained to inform their line manager immediately, who will in turn, inform an authorised member of personnel at the client and also inform the ICO within 72 hours.
The information provided to the client and the ICO will include;
- What has happened
- When and how we found out about the breach;
- The people that have been or may be affected by the breach;
- What we are doing as a result of the breach
The management team at Abbey House Hotel & Gardens Limited are responsible for the compliance and maintenance of this policy. If you have any other questions, please do not hesitate to contact me John Horton – General Manager on 01229 838282.
Abbey House Hotel & Gardens is registered with the ICO as a data controller – Registration number: ZA198341
This policy was reviewed on 1st August 2019.