Introduction
Please take time to read this document carefully as it contains details of the basis on which we will process (collect, use, share, transfer) and store your information. You should show this notice to all parties related to your arrangement with Henry Cookson Adventures (HCA). If you have given us information about someone else, you are deemed to have their permission to do so.
If you have any questions or need further information you can e-mail our Compliance Officer [email protected] or write to our Compliance Officer, Henry Cookson Adventures Ltd, 2 Clearwater Terrace, London, W11 4XL.
Use of information
We, Henry Cookson Adventures Ltd, who may curate and execute bespoke travel products either on your behalf, or in conjunction with you, all times, treat all personally identifiable information strictly in accordance with European General Data Protection Regulations (GDPR) with effect from 25th May 2018.
Data controller and data processor
We will ensure data is processed lawfully, fairly and in an open and transparent manner and ensure appropriate security measures are in place against unauthorised or unlawful processing or accidental loss, destruction or damage using appropriate technical or organisational measures. (such as restricting access to key people within our organisation for certain aspects of your information; and periodically checking the level of security we apply to prevent unauthorised use, accidental loss, or misuse of your information) he contractual arrangements we have in place with our suppliers (providers of accommodation, transport or ancilliary travel services, our Client Database software provider, and similar providers of services to us, including any third-party companies who use our services), are governed by and shall be deemed to operate strictly in accordance with the terms of such contracts and non-disclosure agreements.
Importantly, from your perspective these contracts set out to define how data will be processed between us, including circumstances when we act as a processor (such as visa applications) or controller as is required by the GDPR. When acting as a controller of your data, we will, in certain circumstances determine the purposes and means of processing your data; in particular this will include the data processed by suppliers in tailoring travel services for your specific need.
Lawful basis for:
Collecting information about you
When we collect information about you, we may collect personal data which may include a variety of information about an individual (e.g. their name, address of residence, communication and contact details, and other personal information such as a date of birth). Where relevant to do so we may also collect information relating to an individual, indirectly by reference to an identifier (e.g. an IP address, which is a unique number identifying your computer, laptop or similar portable device).
Where required and appropriate to so, we will also collect more sensitive personal information (such as details about an individual’s motoring or criminal convictions, details of health, credit worthiness and other similarly sensitive information) More detail on this is provided below.
In certain circumstances (e.g. in the course of designing a bespoke itinerary to best suit your needs) we will collect information from a variety of different sources (e.g. publicly available sources, such as social media and networking sites; third party databases generally available to the wealth advisory sector, and the wider commerce and industry including other suppliers appointed in the process of handling aspects of a travel product such as yacht crews or other staff), this may include information about you regarding past experience within the travel sector.
Data storage
Our aim is to hold all our data in an electronic format. Our data is stored on secure devices that are themselves stored in a locked and alarmed office. These devices are password protection. Data held on these devices is done so on secure cloud based platforms where it is reasonable to do so. These platforms are all ISO/IEC 27001 certified. This is recognised as one of the most widely recognized independent international security standards.
Data within our electronic storage platforms is stored in a partitioned format ensuring that only employees or other authorized agents who have appropriate need may view required data.
Should for any reason we store your data in hard format (e.g. printed) it will be secured in secure filing, within the office.
Accountable employee data handling policies govern the strict carriage, use and subsequent destruction of hard format document. Details can be found in Annex E – Data Carriage Policy of the HCA Master Security document. This can be made available by request from our Compliance Officer.
Using information about you
We will use information, including sensitive information, about individuals, and other parties related to our business activities, because it is principally:
- necessary for an individual to utilize a bespoke travel product without the provision of personal data (e.g. preferences)
- it is necessary for compliance with a legal obligation (e.g. passport details);
- it is necessary to protect the vital interests of a data subject or another person; and
- necessary for our own legitimate interests or those of other controllers or third parties (e.g. to search at credit or anti-money laundering agencies, monitor e-mails, calls and other communications or for market research, analysis and developing statistics) except where such interests are overridden by the interests, rights or freedoms of the data subject.
These bases include, for the design of bespoke travel opportunities, provision of quotes, implementing and managing the execution of any given trip, hosting clients, follow ups and the sharing of future opportunities that lie within the scope of a client’s appetite for travel.
When processing personal data for profiling purposes, we will ensure appropriate safeguards are in place, ensuring:
- processing is fair and transparent and provide meaningful information about the logic involved; as well as the significance and the envisaged consequences;
- use only appropriate procedures for the profiling;
- appropriate technical and organisational measures are in place to enable inaccuracies to be corrected and minimise the risk of errors in recording profiled data; and
- secure your personal data in a way that is proportionate to the risk to your interests and rights and prevents discriminatory effects.
We will also use your information when there is a justifiable reason for doing so, such as compliance with legal obligation (e.g. for the prevention and detection of fraud and financial crime, which may include processes which profile you); and for the recording of all communications by any or all means for auditing reasons.
Sharing your information
We will share information, including sensitive information, about you, and other parties related our products and services because it is:
- necessary for the creation of or to take steps for you to undertake a travel itinerary or other HCA service; or
- necessary for compliance with a legal obligation; or
- necessary to protect your vital interests; or
- necessary for our own legitimate interests or those of other controllers or third parties; and
- necessary for a task carried out in the public interest or for an exercise of an official authority (e.g. a regulatory body).
This includes sharing your information within Henry Cookson Adventures Ltd as necessary and carefully selected third parties providing a service to us or on our behalf, these include, our Insurance Providers, and or our banks or other financial services we utilize who may require details for fraud or anti-money laundering obligations. (you can write to our Compliance Officer at the details above should you wish to view a list of all the insurance companies and financial institutions with whom we have arrangements)
What we will not do with your information
Unless required to do so by law, or for other similar reasons, other than those outlined (see above: Sharing Your Information) we will never otherwise share personal information without good reason and without ensuring the appropriate care and necessary safeguards are in place; we will in any other event ask for your consent to share that information and explain the reasons.
How long we will keep information
We will only keep and or maintain information about an individual for as long as is necessary in providing our products and services or for compliance with a legal or regulatory obligation.
This means, we will only keep, information that is necessary to keep so that we can effectively deal with administrative issues, queries about past trips, enquiries for repeat business, insurance claims and or for compliance with legal or financial audit reasons; usually we will keep information for a minimum retention period of 7 years and or maximum period of 40 years, after cessation of a product or service we have provided.
However, we will keep information for much shorter periods if that information related merely to a quotation which did not then result in a trip being arranged; in these circumstances we will keep information for a minimum retention period of 12 months and a maximum period of 7 years unless such information becomes manifestly out-of-date in which case we may keep quotation information for shorter periods.
In any event all information shall be stored in strict compliance with the GDPR legislation at all times; and using appropriate technical or organisational measures we will regularly:
- review the length of time we keep and or maintain information about you;
- consider the purpose or purposes why we hold the information about you in deciding whether (and for how long) to retain it;
- securely delete information about you that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information about you if it goes out of date.
Sensitive Data
In carrying out our duties as Data Controller and Data Processor we may collect sensitive information, about you, and other parties related to our products and services:
- necessary for the creation of or to take steps for you to undertake a travel itinerary or other HCA service; or
- necessary for compliance with a legal obligation
- necessary to protect your vital interests;
- necessary for our own legitimate interests or those of other controllers or third parties; and
- necessary for a task carried out in the public interest or for an exercise of an official authority (e.g. a regulatory body)
What we mean by sensitive data includes information such as:
- about an individual’s health including medical conditions;
- any criminal convictions; and
- racial or ethnic origin or religious beliefs.
We will always apply additional organisational and technical measures for this category of data, including restrictions to access this data (this is where data may be secured with additional layers of security to prevent misuse and protect personally identifiable information from improper or unjustified use or dissemination)
Use and storage of your information overseas
Due to the global nature of travel and our worldwide operations, travel undertaken with HCA is likely to occur outside the European Economic Area (EEA). In this circumstance, the transfer, storage, or processing of information about you or an individual will occur beyond the EEA for the reasons stated above under ‘Sharing Your Information’. In any event, if we are compelled to transfer your information outside the EEA it shall be in compliance with the conditions for transfer set out under European GDPR guidelines and restricted to countries which are considered to have adequate data protection laws. In any circumstance, all reasonable steps shall have been undertaken to ensure the firm to which information is being transferred has suitable standards in place to protect such information.
Using our website and cookies
You will be asked to accept a cookie, which is a small file of letters and numbers that is downloaded on to your computer when you visit any of our group of companies’ websites. This will be clearly explained to you when you visit the website and you will typically have to accept the cookie to benefit from the services the website can offer.
Cookies are operated in strict accordance with European Privacy and Electronic Communications Regulations 2011 (PECR) and are widely used by many websites and primarily enable the website to remember an individual’s preferences, recording information the individual may have entered on our web pages.
These same rules also apply if any individual accesses or uses any other type of technology to gain access to information stored electronically by us, including app technology HCA may utilise to facilitate or improve client experiences.
Individual rights
Individuals have a number of rights relating to the information we hold. These rights include but are not limited to:
- a copy of the personal information we hold (once requested, HCA have up to one calendar month to provide an individual with such information
- rectify information, if it is inaccurate or incomplete;
- request the deletion or removal of an individual’s personal data in part, or in its entirety, where there is no compelling reason for its continued processing;
- suppress processing of an individual’s personal data, when processing is restricted, we are permitted to store the personal data, but not carry out further processes. We will retain sufficient information about the individual to ensure that the restriction is respected in future (see Marketing);
- object to certain uses of an individual’s personal information (see Marketing);
- in certain circumstance to not be subject to a decision when it is based on automated processing; and or it produces a legal effect or a similarly significant effect on an individual;
- withdraw any permission you or an individual may have previously provided; and
- complain to the Information Commissioner’s Office at any time if you or an individual is not satisfied with our use of such information.
Individuals can request a copy of the personally identifiable information we hold by contacting us about them, including the right to have such information in a portable form ‘a right to data portability’ so we will normally, not only provide the information free of charge (however we may apply a charge where information requests are excessive) but we will provide that information in a format that is easily accessible, including electronic formats, should an individual require it in that format to ensure information can be exchanged easily with other organisations.
If you would like further information or wish to make a Subject Access Request (SAR) you can e-mail [email protected] or write to our Compliance Officer, Henry Cookson Adventures Ltd, 2 Clearwater Terrace, London, W12 9JA.
Marketing
When marketing to you as an individual (including, individual sole traders and partnerships), we will either rely on the permission we have (if we are able to do so) or we will ask for your permission (consent) to contact you, including the means to contact you (such as by phone, or e-mail, push notifications, SMS text, or post) to tell you about;
- new products or services we have or are developing;
- trialling products and services which we think may improve our service to you or our business processes;
- offer you rewards;
We will typically ask for permission when you first contact us, (usually but not limited to our websites), however, you will maintain the right to easily withdraw such consent when-ever you wish (unsubscribe). We will regularly review any such consent to check that your relationship with us and any processing including the purposes have not changed.
In all situations where we market to a business we will observe both the market standards and those rules and guidelines of the Privacy and Electronic Communication regulations (PECR).
We have in place such a process to ensure we refresh your consent at appropriate intervals, including any parental, or third-party consents (where relied upon) and act on withdrawals of consent (unsubscribe) as soon as we can and not penalise you if you not choose to give and later decide to withdraw your consent.
Research and analysis
Personal information we hold may be converted into statistical or aggregated data (e.g. this is data which cannot be traced back to an individual) to produce or undertake statistical or analytical research and development work, which shall not be shared beyond HCA. This is undertaken to enable us to optimise our marketing approach and customer experience.
We may continue using personally identifiable information we may hold, specifically relating to an individual’s past experiences travelling with HCA, after trips have taken place, for processing research and analysis as above.