Feeds:
Posts
Comments

Archive for May 24th, 2018

GDPR

I have prepared this document in response to the introduction of the GDPR.

Data security has always been of paramount importance and my previous data systems were robust however I have undertaken a data protection impact assessment and in the interests of full transparency details and procedures are outlined here.

Each section explains why we request the information, how we use it and what happens to that information after it has been used.

 

What is GDPR?

  • On 25th May 2018 the Data Protection Act will be replaced.
  • The Data Protection Act will be replaced by the General Data Protection Regulations (GDPR).
  • The GDPR covers all data that is held electronically or on paper.

 

 Data that is held by Balkissock Lodge B&B:

 

Names, nationality and passport details:

  • B&Bs are legally required to collect and store the names and nationalities of all guests over the age of 16.
  • B&Bs are legally required to collect the following information of all guests who are not British, Irish or Commonwealth citizens with the exception of Diplomats, their family and staff:
    • passport numbers
    • place of issue
    • forwarding destination including address if known
  • This information is collected when you either:
    • book online via our website (via Freetobook) (Note 1)
    • book online via an online travel agent (OTA): I only currently use Booking .com (Note 2)
    • or when you complete the Registration Form on arrival.
  • You are asked to check/complete this information when you check-in and sign the registration form to verify its accuracy.
  • Balkissock Lodge B&B is legally required to store this information for a minimum of 12 months and for it to be made available for inspection by a Police Officer or ‘duly authorised person’ at all times.
  • Balkissock Lodge B&B stores the paper registration forms that contain the names, nationalities and passport details in a secure location.
  • The information is not transferred to any electronic device: ie this information is not held electronically by Balkissock Lodge B&B.
  • The information is not passed to any other person or organisation but is available for inspection by a Police Officer or ‘duly authorised person’.
  • The nationality and passport information is not used for any other reason by Balkissock Lodge B&B.
  • The registration forms are kept for a minimum of 12 months and for practical reasons to the end of the following financial year when all unrequired data and information is generally destroyed together (note 3).
  • The information is destroyed by shredding and/or burning.

 

Home address, contact telephone number and email address: 

  • B&Bs are not legally required to gather this information but it is requested for the following reasons:
    • Home address:
      • Required to process credit/debit card transactions.
      • To post receipt prior to visit or left items upon request.
    • Contact telephone number:
      • To contact you if an urgent issue arises.
      • We will not contact you by telephone unless absolutely necessary and we’ve been unable to contact you via email.
    • Email address:
      • For general communication regarding your visit: to confirm booking details, ascertain arrival times, enquire about dietary requirements for example.
      • To contact you after your visit (a thank you email) to ensure that everything has been to your satisfaction.
      • To send out e-newsletter upon request (Note 4).
    • Balkissock Lodge B&B stores the paperwork that contains addresses, telephone numbers and email address in a secure location.
    • Addresses and telephone numbers are not transferred to any electronic device: ie this information is not held electronically by Balkissock Lodge B&B except where it is held with our secure booking system and has been inputted either by yourself or by me if I have taken the booking via telephone or email.
    • Email addresses are not transferred to any electronic device other than in the two following instances:
      • Emails are often sent directly to guests (eg ‘welcome email’) in which case my email system will remember the details of the conversation.
      • A guest or member of the public asks to be added to the e-newsletter distribution list (Note 3).
      • Please note that if you email Balkissock Lodge B&B voluntarily then your email address will be automatically remembered by the email system.
    • Addresses, telephone numbers and email addresses will not be passed on to any other person or organisation unless specifically requested by the guest with their permission (for example if I have no availability, I will ask the guest if I can forward their enquiry to other B&B owners who may have availability).
    • Addresses, telephone numbers and email addresses are not used for any other reason by Balkissock Lodge B&B (Note 4).
    • The registration forms that this information is written on are kept for a minimum of 12 months and for practical reasons to the end of the following financial year when all unrequired data and information is generally destroyed together (note 3).
    • The information is destroyed by shredding and/or burning.
    • Emails are deleted after the guest has visited and after I have emailed my ‘thank you’ email.

 

Credit/Debit Card Details:

  • Balkissock Lodge B&B does not have a credit/debit card terminal and all card payments are made via our booking system Freetobook (note 1) who use SagePay (note 5) to process financial transactions.
  • Your card details are requested upon booking in order to make payment for your accommodation, food or any additional items that you select and are handled as follows:
    • Bookings made via telephone or email will be booked in to the Freetobook system and then a secure payment link will be emailed to you so that you can pay the deposit/balance securely online direct via the SagePay payment gateway. Your card details are tokenized (encrypted) and I only see the last four digits if I need to use the stored card for a further payment (the balance for example).
    • Bookings made via our own website are processed via Freetobook using the SagePay payment gateway. Your card details are tokenized (encrypted) and I only see the last four digits if I need to use the stored card for a further payment (the balance for example).
    • Bookings made via Booking .com may be handled in two ways depending upon what type of card you use; either:
      • Booking .com will take payment and provide it to Balkissock Lodge B&B as a “virtual card” which belongs to Booking .com not you. This is often done when you use a card that I do not take such as American Express.
      • Or Booking .com will take your credit card details and store them securely, making them available to me when I need to use them. The data is password protected and I manually transfer the information from Booking .com to SagePay via Freetobook.
    • I do not write down card details on to paper or anywhere else.
    • I do not store any card details other than via Freetobook/ SagePay as outlined above.
    • I do not pass on card details to any other person.
    • I will not ask you to give me your card details over the phone.
    • I will not ask you to send your card details in an email.
    • I am the only person at Balkissock Lodge B&B authorised to handle the card payment system.
    • Balkissock Lodge B&B is PCI DSS (payment card industry data security standard) compliant.

 

E-newsletter

  • Balkissock Lodge B&B sends out an e-newsletter each month.
  • People must sign up for this e-newsletter in one of the following ways:
    • Provide your email address during your visit and ask to be signed up to the distribution list.
    • Email me at any time and ask to be added to the distribution list.
  • You can unsubscribe at any time by emailing me and asking to be removed from the distribution list.
  • The e-newsletter is sent out by email in blind carbon copy (bcc) format so that everyone receives it but individuals cannot access other people’s email details.
  • Your email address is stored on my email system to facilitate this process and my email system is password protected.
  • Balkissock Lodge B&B will not pass the email addresses to any third parties nor use them for any other reason but to send out the e-newsletter.
  • I have a paper list of email addresses and the dates that everyone signed up to the e-newsletter.
  • This list is not stored electronically (other than the distribution list on the email system itself).
  • Please note that I’m looking into using a simpler system such as mailchimp to do this.

 

Social Media 

  • I operate several social media accounts for both Balkissock Lodge B&B and some tourism ones for the local area (Ballantrae, SWScotland and AB&BA).
  • I engage with many people on a daily basis via these accounts.
  • I post photographs and information relating to the business, the locality, places of interest, events, etc.
  • I never spam anyone with direct sales messages.
  • I will follow back any account that has been kind enough to follow me except in the following two instances:
    • An obvious sales account that just constantly spews sales (I will also unfollow any that do so too).
    • Any ‘private’ account.

 

Guest book and reviews on websites:

  •  Guests that are kind enough to leave reviews are thanked personally (if I see the review that is).
  • All reviews are copied and uploaded to the ‘guest comments’ page of the website so that they can be viewed all together in one place.
  • Comments are often copied and shared on social media.
  • Guests full names are not used but will be credited with their comments in the form of: ”Debbie and Rob, USA, July 2018” or “Mr Brown, UK, June 2018” depending upon how they have signed the comments.
  • As the comments are placed in public places eg: on a review website, or the guest book, I am not required to seek additional consent to use/share this data however if you object to your comments being used please let me know in writing where you have seen it and I will remove it.
  • Please note that I have no control over how some review sites use the text and information that you post there.

 

Additional Information:

 

Access to your information:

  • You have the right to request a copy of the information Balkissock Lodge holds about you.
  • If you would like a copy of this information please email me at balkissocklodge@icloud.com.
  • There will be an administration fee of £5.00 for this service.

 

Cookies:

  • Cookies are text files placed on your computer when you view a website.
  • Cookies collect information about where you are located and what you view.
  • Balkissock Lodge B&B’s website “A Scottish Country House” is owned by WordPress who collect such data.
  • This date allows me to see which pages have been viewed and from where in the world people are looking. It gives me data such as how many views per day or per month etc.
  • I cannot access your location nor identify you nor know which pages you have been browsing.
  • You can set your browser not to accept cookies. See http://www.aboutcookies.org for more information.

 

The right to be forgotten: 

  • This is a new feature as a result of the introduction of the GDPR.
  • You have the right to ask to have your details to be removed from my system however this does not override any legislative requirement such as:
    • Names, passport numbers, destination information which must be kept for a minimum of 12 months.
    • Financial records and associated records must be kept for a minimum of 7 years.
  • From the information provided in this document you will see that any information that I hold on you is already destroyed when they are no longer required for the necessary purposes of trading.

 

Notes:

  • Freetobook are PCI DSS and GDPR compliant see website for details: https://www.freetobook.com
  • com are PCI DSS and GDPR compliant see website for details: https://www.booking.com
  • Please note that financial records and any associated data must legally be kept for seven years.
  • Specific exceptions to this will apply when someone asks to be added to the distribution list for the e-newsletter. See “E-Newsletter” section for details.
  • SagePay are PCI DSS and GDPR compliant see website for details: https://www.sagepay.co.uk

 

Cordelia Galley

Owner: Balkissock Lodge B&B

Responsible for data control

May 2018

This document will be updated and when required.

Advertisements

Read Full Post »

%d bloggers like this: