This website www.grenhamtravel.ie (the "Website") is owned and operated by Grenham Travel. ("Grenham Travel", "we", "our" and "us"), an Irish incorporated company, with an address 1-3 Connaught Street, Athlone, Ireland.
Grenham Travel needs to gather and use certain information about individuals to provide a professional service and fulfil contractual obligations. These can include customers, suppliers, business contract, employees and other people the company has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
In general, Grenham Travel does not collect, store, use or disclose personally identifying information except in very specific instances, such as, for example, when you use our contact form, or have had multiple previous communications with a Grenham Travel representative. Whenever we collect such information, you may request access to, rectification, erasure or restriction of your Data, or object to the processing of your Data or Data portability at any time. The retention period for your data depends on the relationship with us, we need to retain customer and client data for a period of 7 years, for none customer / client data we retain this information up to a period of 5 years. With regard to the age of consent we will adhere to the data protection commission’s guidelines in this regard https://www.dataprotection.ie/docs/Age-of-Consent/m/212.htm.
We will respond to your request in writing as soon as practicable and in any event within one month of receipt of your request. We may request proof of identification (e.g. drivers licence, passport etc.) to verify your request. All requests should be addressed in writing by post to Grenham Travel, 1-3 Connaught Street, Athlone, Ireland or email to email@example.com
You may also use the above contact information if you think any information about you is inaccurate, incomplete, or if you want to change the sort of information about you that Grenham Travel may have collected.
The Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
1-3 Connaught Street
Co Westmeath N37 WY89
You have the right to lodge a complaint with the Data Protection Commissioner if you are unhappy with how we are processing your Data.
Why this Policy exists
This data protection policy ensures Grenham Travel Ltd:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Information we may collect from you
We may collect and process the following data about you:
Contact information (business name, business address, contact telephone number and email address) and your IP address, your browser type, and you’re referring URL
|Business Function||Data we hold||Why we hold it||Where we hold it||Where we get it form||Who we share it with||What Personal Data is included|
|Booking queries and reservations
|Correspondence with a customer about an intent to book||
For people who view and interact with our website; we process data; Ref. website /cookies policy. www.grenhamtravel.ie
To respond to queries sent through our ‘contact us’ form.
|Customer via Telephone, Visit to our premises, Social media,
Contact by Email/Web sites, Referrals.
|Third parties relating to the booking: (Hotels, Transfers, Airlines, Car hire, Principals i.e. travel companies e.g. Royal Caribbean etc.||Name
Family details including children
Age of children
|Booking and reservations (Core Record)||The main record we have as a confirmed booking||
To fulfil customer holiday bookings.
To contact you when required in connection with your bookings.
For contractual obligations.
|We retain customer booking information in hard copy and ensure this is in a secure location at all times.
Plus On Travel Manager which is password protected and stored in a cloud with an external Company in encrypted format.
|Customer||Third parties relating to the booking: Hotels, transfers, airlines, car hire, Insurance company, Principals i.e. Travel companies e.g. Sunway etc.||
Driving Licence for Car Hire
May include health information e.g. restricted mobility, dietary needs etc. (only when relevant).
May include special requests e.g. Honeymoon etc.
|Complaints||Data from passengers that are for some reason unhappy with their holiday.
We request details of the complaint in writing from the customer.
|They asked us to -through contractual obligation.||Hardcopy in secure locked press/ store room.||Customer||
Third Parties relating to the booking (Hotels, Transfers, Airlines, Car Hire, Excursion Providers, Travel Partners Holiday Companies relevant to booking.
Solicitor if relevant.
Family details including
Age of children
May include health information – where relevant.
|Payments||Details of travel payments||We do not hold it. It is passed on to an authorised provider and to banks.||N/A||Customer||Payment provider and to Relevant Trade Partners via bank.||N/A|
Nera work sheets.
Profit/Performance on Mercury Software programme.
|It is a mandatory requirement.||
IT Excel folder on password protected computer.
|Individual members of staff &
Our Accountant RBK
Sales bookings details.
We may need to share the information gathered from you with our sub-contractors, and our Licensees in order to facilitate the full and efficient operation of the Products and Services. Such disclosure of information will only occur to the extent necessary to provide the Products and Services of the Website in the fulfilment of our obligations under its agreement with you and or to market to you under the terms of this policy if you so permit.
Security of Personal Data
Personal Data collected is treated with the highest of respect and we process all details in a confidential secure manner:
- The exterior of our building and interior of our office have CCTV security cameras and an alarm system in situ. 24 Hour CCTV images are being recorded for the purpose of crime prevention, crime detection and promoting public safety. Each member of our sales team has an individual panic button at their desk.
- The alarm is monitored by an outside Specialised Alarm Company with 24/7 coverage.
- Live Transactions: Data recorded on hard copy is kept in filing cabinets and stored in a steel lockable press in a secure location.
- Data is also recorded on Mercury IT Specialised Travel Manager. This is password protected and only available to authorised staff; this is also stored in a cloud by an outside company in encrypted format.
- Passports when given with explicit consent are stored in a heavy duty fireproof locked safe.
- Laptop and PCs are password protected and computer screen programmes are locked when unattended.
- Completed Transactions: Live enquiries via email, visit to our office, social media, phone or otherwise which do not convert to bookings and are no longer necessary for the purposes for which it is processed are retained for up to twelve months and cross shredded (GDPR approved cross - shredder used).
- Completed bookings - Data is stored in indexed format in a secure location. This is stored for 7 Years in compliance with Legal Obligations, files with complaints or litigation issues may be stored for longer as in accordance with individual legal requirements. On expiry date of the legal time limit; the said completed files are routinely destroyed in accordance with legal obligations as long as they are no longer necessary for the fulfilment of the contract or the initiation of a contract. They are shredded by an external registered shredding company. This specialised company issue a Certificate of Destruction and Recycling on completion of the process.
- Printing/Copying of sensitive data e.g. passports etc. is carried out on GDPR compliant Printer in secure mode, access to printed matter is passcode protected and only available to the authorised member of staff.
- CC Payments: Credit card numbers are not recorded or emailed, Phone payments are immediately entered into the terminal as the customer gives the details. The receipts are stored in a locked filing cabinet and cross shredded when legitimate legal obligations are meet. We are PCI Compliant with Attestation illustrating same. This PCI compliancy is updated each year.
- Antivirus Internet security is installed and updated by our IT Company; this is a company who specialise in Travel Technology e.g. Galileo etc. Likewise, they also install a firewall for security purposes.
- All servers and computers containing data are protected by approved security software and a firewall.
- In order to protect your personal data and information from loss, misuse, alteration or destruction we have implemented generally accepted standards of Technology and security. Unfortunately, the transmission of information by means of the internet, including via email, is not completely secure. Although we will do our upmost to protect your personal data, we cannot guarantee the security of your data transmitted to or from us by means of email and any such transmission is at your own risk.
Your rights relating to personal data
You have the following rights under GDPR, in certain circumstances and subject to certain exemptions, in relation to how we use your personal data:
- Request a copy of the personal information we hold about you.
- Correct any inaccurate personal data we hold about you
- Erase personal information we hold about you.
- Restrict processing of your personal information.
- Receive your personal information in a clear and accessible format.
- Have your data transmitted to another data controller.
- Requests for information will be replied within one month.
These rights are in some circumstances limited by data protection legislation and we might require further information from you before we can respond to your request. If you wish to exercise any of these rights please contact us in writing at our postal address or email address as stipulated above. Identification i.e. Passport or Driver’s licence will be required to ensure the procedures of GDPR are carried out
Data Protection Breaches
If any member of staff should detect a data protection breaches:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed…
They must investigate the details i.e. what data was misappropriated, who received it, how it was transmitted, record details on Data Protection specimen template and report the situation to the Manager. The resolve of the matter will commence immediately and The Data Controller/Manager will notify the supervisory authority (DPC) within 72 Hours of becoming aware of it. If it is deemed to be a “high risk” case, affected individuals may have to be informed accordingly.
Notification is not required where the personal data breach is unlikely to result in a risk to the rights of individuals.
Your information and Third Party Service Providers
For compliance with our legal obligations: We may be required legally to collect, retain and disclose your personal data to customs agencies, port authorities, law enforcement agencies or to comply with a court order.
To fulfil your booking and our other services to you, we may share your personal data with third party suppliers such as airlines, accommodation providers, car hire companies, third party tour operators, cruise companies, ground handlers, excursion providers, airport authorities, insurance companies, IT service providers, accountants and providers of security and administrative services.
When we are required to do so, we provide your personal data to various government authorities, including airport and immigration authorities, and border control agencies.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
Transfers of data outside the European Economic Area
We need to share your personal data with suppliers and other parties for the purposes set out in this privacy notice. Sometimes we may transfer your personal data outside of the EEA to perform our contract with your (to provide you with your holiday or travel arrangement). We will only transfer your personal data to countries that either have been deemed to provide an adequate level of protection for personal data by the European Commission or if the suppliers or other third parties are in the U.S. and part of the US-EU Privacy Shield, alternatively, the safeguard we have put in place for these transfers is to use the European Commission approved standard contractual clauses with the third party https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
LAWFULNESS OF PROCESSING
There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the GDPR.
It is Grenham Travel’s policy to identify the appropriate basis for processing and to document it, in accordance with the regulation. The options are described in brief in the following sections.
Unless it is necessary for a reason allowable in the GDPR, Grenham Travel will always obtain explicit consent from a data subject to collect and process their data. Transparent information about our usage of their personal data will be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent.
2. Performance of a Contract
Where the personal data collected and processed are required to fulfil a contract with the data subject's, explicit consent is not required. This will often be the case where the contract cannot be completed without the personal data in question e.g. a delivery cannot be made without an address to deliver to.
3. Legal Obligation
If the personal data is required to be collected and processed in order to comply with the law, then explicit consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.
4. Vital Interests of the Data Subject
In a case where the personal data is required to protect the vital interests of the data subject or of another natural person, then this may be used as the lawful basis of the processing. Grenham Travel will retain reasonable, documented evidence that this is the case, whenever this reason is used as the lawful basis of the processing of personal data.
5. Task Carried Out in the Public Interest
Where Grenham Travel needs to perform a task that it believes is in the public interest or as part of an official duty then the data subject’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.
6. Legitimate Interests
If the processing of specific personal data is in the legitimate interests of Grenham Travel and is judged not to affect the rights and freedoms of the data subject in a significant way, then this may be defined as the lawful reason for the processing. Again, the reasoning behind this view will be documented.
Use of your data
We may use your Data where necessary for our legitimate business interests, including:
· improve the content of our Site and the services we offer
· ensure the Site is presented in the most effective manner for you and for your computer
· compile statistical data on the use of our Site
· notify you about changes to our service
We make no attempt to identify individual visitors, or to associate the technical details we collect with any individual, unless required to disclose such information by law. We may use your Data to comply with any legal obligations.
We will store your personal Data only for as long as necessary for the purposes of providing access to our Site and related services to you; as required by law.
Disclosure of your information
We will not disclose your Data to third parties unless you have consented to this disclosure or unless the third party is required to fulfil a request you have made or contract that you have entered into. Where appropriate, Data may also be processed by our service providers in which case we will take steps to ensure that the processing complies with applicable data protection and confidentiality laws. We will also disclose your Data if we believe in good faith that we are required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order or other statutory or legal requirement.
Links to other sites
Our Site may, from time to time, contain links to and from other websites. If you follow a link to any of those websites, please note that those websites have their own privacy policies and we do not accept any responsibility or liability for those policies. Please check those policies before you submit any Data to those websites.
Security and where we store your personal data
We are committed to protecting the security of your Data. We use a variety of security technologies and procedures to help protect your Data from unauthorised access and use.
We have implemented strict internal guidelines to ensure that your privacy is safeguarded at every level of our organisation. We will continue to update policies and implement additional security features as new technologies become available.
Although we will do our best to protect your Data, we cannot guarantee the security of your Data transmitted to our Site. Any transmission of Data is at your own risk. Once we receive your Data, we will use appropriate security measures to seek to prevent unauthorised access or disclosure.
Changes to this Privacy Statement
We reserve the right to change this Privacy Statement from time to time at our sole discretion. If we make any changes, we will post the said changes here and update the “Last Updated” date at the bottom of this Privacy Statement. Your continued use of this Site after we make changes is deemed to be acceptance of those changes, so please check this Statement periodically for updates.
This Privacy Statement is covered by and shall be construed in accordance with the laws of the Republic of Ireland and you hereby submit to the exclusive jurisdiction of the Irish courts in the English Language. In the event that these terms are translated into any other language, the translation shall be for review purposes only and have no legal effect.
Last Updated April 2019