GDPR DATA PROTECTION POLICY 2018
iStay Serviced Apartments ltd
iStay Serviced Apartments Ltd is committed to protecting the legal rights and freedoms of our guests and clients. We promise to process all data collected through our company in compliance with all legal structures. iStay holds personal data about our employees, guests, corporate clients, and suppliers (agencies).
This policy sets out how we seek to protect personal data and ensure that our staff understand the rules governing their use of the personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
Our GDPR policy states how data is collected by iStay Serviced Apartments, how it is stored and how it is intended to be used. This document is used by staff at our company to ensure they are following GDPR regulations in full when handling your data. We are committed to ensuring that this information remains up to date and that our staff remain informed whenever changes are made to this document, which may happen from time to time as is necessary by legal obligation.
iStay Serviced Apartments Data Protection Officer:
Name: Matthew Munns (Director)
Phone: 01604 945115
iStay Serviced Apartments ltd commits to the follow principles as outlined in the EU GDPR document.
Lawfulness, fairness and transparency
Data collection from iStay will be collected legally and its uses will be open and transparent. iStay will not misuse the data that it collects.
iStay Serviced Apartments will only collect data for specific reasons that it can justify as requiring data.
iStay Serviced Apartments will not take part in collecting or storing unnecessary data which it cannot justify as requiring for any purpose.
iStay Serviced Apartments will do its utmost to ensure that stored records are accurate and up to date
iStay Serviced Apartments will not store any data longer than it is necessary to do so
Integrity and confidentiality
Our data collections and records will be kept confidential and will be regularly reviewed to ensure they are secure
We must ensure that data collection only takes place when it is lawful. This is defined as the data subject giving traceable consent for their data being used. This is considered fair and lawful collecting and processing of data.
Data subjects have the right to request that their data is removed if there is no traceable consent. This is fair under the first principle.
iStay Serviced Apartments is specified as a Data Controller under the terms of the EU GDPR.
Lawful and reasonable conditions for collecting data
- The data subject has given full consent for data to be processed and used.
- The data is essential to complete a contract or booking
- The data is part of a legal requirement to possess specific data
- The data is essential to protecting human life in a medical situation
What to consider when processing data
- What is the reason we require this data?
- Can we achieve our goals without using this data?
- Are we meeting our clients expectations on how their data could be used?
- How could this affect the data subject?
- Is the data subject a vulnerable individual?
- Are you able to easily able remove data on request after it is processed?
The key factor in making a decision to process data is to think about what the data subject would expect or would have expected when agreeing for their data to be processed. This directly relates to the ‘lawful and reasonable conditions for collecting data’ section.
Sensitive data is defined as data of a subject which can cause harm or lead to risk of an individuals freedoms and fundamental rights. This can consist of:
- Political preference
- Sexual preference
iStay may want to record some sensitive data so that our staff are aware of cultural or religious practices which may alter their pattern of work. If sensitive information is considered necessary to obtain, then explicit and traceable consent is required by the data subject in order to store it.
iStay Serviced Apartments | Data Responsibility
iStay must ensure it regularly does the following
- Assess and evaluate the data it holds and review its need in the database
- Ensuring that staff are informed and trained in data protection rules
- Ensure that data on the system is lawful and given by consent
- Ensure that data is kept securely and accessible by relevant staff only
- Assess the risk of holding the data in its database
- Ensuring that any parties who have access to the database are fully compliant with EU GDPR laws.
- Data stored physically (paper, notes, etc) must be held securely
- Physical data should be destroyed when it is not needed anymore
- Digitally stored data should require advanced passwords to access
- Passwords for anyone with access to the database should change often
- Data stored on any external drives must be encrypted or password locked
- The Data Protection Officer must approve of any cloud based database
- Data must not be saved to any personal device such as a phone or laptop
- Data must not be stored once its purpose is fulfilled and no longer required
As an individual, you have the following rights with regards to GDPR data protection.
Right to information
Right to access information
You have the full right to access your personal data and any relevant information held
Right to rectify
You have the right to request that we amend any personal data we hold in relation to you. This must be complete to request specifics within the timeframe of 1 month.
Right to erase data
You have the right to request that we remove all data held in relation to you where there is no legal reason for us to hold it.
Right to transfer
You have the right to request that iStay transfers the stored data relevant to you so that you may use it for your own purposes.
Right to object
- You have the right to object to your data being processed outside of its necessary role in our business procedures. This could be in relation to marketing and automated advertising.
If the data is being used for any form of data processing, consent must be obtained from the data subject before this takes place.
- The name and details of the data controller and data protection officer
- The purpose of the data collection
- The data subjects right to decline processing
- Who will receive this data
- Any details pertaining to third-parties or international transfers
- How long the data is intended to be kept for
- Details of how to raise any issues with the data processing
- The source of the data
- Details of how consent will be given by the data subject
Reporting & Breach of Data Regulations
If there is any breach of the company database, both internal or external, iStay Serviced Apartments will report to the official regulation authority within the time frame of 72 hours. We hold a legal obligation to fulfil this demand.
Any discrepancies in the database that are noticed must be reported to the Data Protection Officer to be investigated immediately. If there is evidence that a member of staff is aware of a breach that has not been reported, then disciplinary action will be initiated and training will be reinstated.
How will iStay Serviced Apartments use your Data?
iStay Serviced Apartments has a requirement for the following information in order for it to run its business:
- Guest first and last name
- Guest email address for booking confirmation and payment
- Guest phone number for booking and emergency contact
- Guest residential address for security checks & data analysis
- Guest card information in order to process a business transaction
- Credit/Debit card details that have been supplied to a third-party
Our internal systems are designed to remove all guest payment information within 1 month of the details being added to the system. Payment information will never show in full on our system, as our software by licence will only show the last 4 card digits once it has been added to the system.
Marketing Analysis Data
iStay Serviced Apartments receives most of its data from third-party websites such as Booking.com, Expedia and other similar OTA & Agencies. Information that comes through these sites will have been previously agreed with you and contain information such as:
- Country of Origin
- Status within a loyalty program
- Credit/Debit card details that have been supplied to the third-party
All of the above information that comes from a third-party is stored by iStay purely for the purpose of research analysis that we use to understand our market and audience with the exception of any payment details.
With regards to any Credit or Debit card details, these are delivered securely, usually by an encryption service. In the event that an agency elects to deliver details via email, we securely erase these details once the transaction has been confirmed.
You have the full right to know what information has been stored about you via your booking with us. Please contact us via firstname.lastname@example.org should you wish to enquire about the information we hold about you.
iStay Serviced Apartments intends to advertise its offers, promotions and seasonal updates to clients who have given consent for marketing purposes. If you have agreed to receive marketing emails from us, we will endeavour to do our best to only send you relevant information about our products and services which is based on the data we hold about you.