▪ Other parties that the organisation has a relationship with or may need to contact.
This policy describes how this Personal Data must be collected, handled and stored (processed) to meet our Data Protection standards AND to comply with the Law.
This Data Protection Policy ensures that Thistle Holiday Lets:
Complies with Data Protection Laws and follows good practice
Protects the rights of homeowners, clients and all other parties that relates to the business of THL
Is open and transparent about how it processes Personal Data
Protects itself from the risks of a Data Breach
The scope of this Policy applies to the following:
• All working locations
• All staff and contractors operating on behalf of Thistle Holiday Lets
It applies to all data that Thistle Holiday Lets holds relating to identifiable individuals including, but not limited to:
And any other identifiable information relating to individuals, including Special Categories (Sensitive) – See Section 9.0
Note that Thistle Holiday Lets typically does not hold any sensitive data, relating to individuals as we do not need to hold it to perform our services.
4.0 DATA PROTECTION LAW
The following key legislation and guidance informs Thistle Holiday Lets and the development of our procedures/controls:
European Data Protection Directive (95/46/EU)
The Data Protection Act 1998
The General Data Protection Regulation (GDPR)
These legal requirements govern how we will collect, handle and store Personal Data. They apply regardless of whether the data is stored electronically, on paper or on other materials.
To comply with the law, the following EIGHT principles must be applied and evidenced.
Personal Data must be:
Processed fairly, lawfully and transparently
Be obtained only for specific and lawful purposes
Be adequate, relevant and not excessive
Be accurate and kept up to date
Not be held for any longer than necessary
Processed in accordance with the rights of the Data Subjects (individuals)
Be protected in appropriate ways
Not be transferred out of the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection
The Policy helps to protect both Thistle Holiday Lets and associated individuals from very real data security risks including:
Breaches of Confidentiality. E.g. information being disclosed inappropriately
Failing to offer choice. E.g. all individuals have the right to choose how a company processes their data.
Reputational Damage. E.g. Complaints, legal proceedings, etc.
Everyone who handles/processes Personal Data must ensure that it is done so in line with this Policy and all other related procedures.
The only people who can access the Personal Data, covered by this Policy, are those who are required to use it for their legitimate work and who are authorised to do so.
Data must not be shared informally. Personal Data must be treated with the utmost confidence and security at all times.
Thistle Holiday Lets will strive to ensure compliance from all contractors, employees, partners, etc to ensure that they are fully aware and understand their responsibilities regarding Data Protection and Privacy.
For system access, strong passwords must be used and never shared
Personal Data should never be disclosed to unauthorised persons, either within the business or externally.
Data should be regularly reviewed (by authorised personnel) and updated according. If there is no longer a legal basis or legitimate purpose for retaining/processing the Data, it must be safely deleted.
Where consent is the legal basis for processing information, regular reviews must be undertaken to ensure that the individual still (explicitly) consents to sharing their Personal Data.
Individuals reserve the right to withdraw their consent to processing their Personal Data
Individuals may request information regarding the Data processed by Thistle Holiday Lets. This is called a Subject Access Request (SAR) and must be responded to within 1 month.
Individuals may raise a query or complaint to the Data Controller/Data Protection Officer. The contact details are at the end of this document.
Under the new GDPR, a lawful basis must be identified and evidenced before Personal Data can be processed. If there is no other legal basis (lawful purpose) then consent must be sought and evidenced. Article 6 1 (b) states an example when Thistle Holiday Lets may not specifically require consent in that when ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
Consent must be:
Given by clear statement or affirmative action
Consent can no longer be implied.
Prior to obtaining consent, individuals will be provided with access to the Privacy Notice (also called a Fair Processing Notice). See Section 14.0.
To manage consent and ensure that it does not degrade over time, Thistle Holiday Lets will conduct regular consent audits and contact the relevant individuals to establish that consent is still current and given as above.
8.0 SPECIAL CATEGORIES
This relates to the processing of sensitive data that must be treated with a high degree of care. Special categories of data include; racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health or reveal their sex life or sexual orientation.
Processing this data is prohibited unless EXPLICIT consent is obtained from the individual. There may be certain circumstances where processing is necessary, and these details can be provided by the Data Controller / Data Protection Officer on request.
9.0 DATA STORAGE
The following details and rules exist for data is stored at Thistle Holiday Lets:
(n.b. I think table one should be property owners and table two guests…)
10.0 DATA TYPE PURPOSE LEGAL BASIS STORAGE REQUIREMENTS RETENTION PERIOD
(end of contract plus)
Home Owner’s Name
Home Owner’s Email Address
Home Owner’s Telephone
Home Owner’s Home Address
Client’s Letting Property Address
11.0 DATA TYPE PURPOSE LEGAL BASIS STORAGE REQUIREMENTS RETENTION PERIOD
(end of contract plus)
Guest’s Email Address
Guest’s home address
Questions regarding storage can be directed to the Data Controller/Data Protection Officer.
When data is stored in a physical format (paper, etc), it will be kept in a secure location where no unauthorised person can get access.
These guidelines also apply to data that is stored electronically, but that has been printed out.
Paper files, when not being processed, will be stored in a locked drawer/cabinet.
Employees shall ensure that paper/prints that contain Personal Data shall not be left unattended, eg. On a printer or left on a desk, where non-authorised persons can see them.
When no longer required, paper/prints shall be shredded and disposed of securely
Note that Thistle Holiday Lets do not store client data in paper format beyond the standard sales agreement.
When data is stored electronically, it must be protected from unauthorised access, accidental disclosure/loss, accidental deletion or malicious hacking attempts:
Data must be protected with strong passwords, that are changed regularly and never shared
Data stored on removable media (DVD, CD, USB, etc) must be stored securely and locked away when not in use
Data should only be stored on approved drives and servers and should only be uploaded to an approved cloud computing service
Servers containing Personal Data should be sited in a secure location, away from general office space, as appropriate
Data should be backed up regularly
Data should not be saved/stored directly on laptops (unless encrypted) or smart phones/tablets
All services and computers containing data should be protected by approved security software and a firewall, as appropriate
12.0 DATA MINIMISATION
Data will be held in as few places as necessary and only retained in line with the data storage requirements documented in Section 10.0
13.0 DATA SUBJECTS RIGHTS
In line with the new Regulation, individuals have more rights to ensure the protection of their privacy and the security of their data. This section details their rights and how Thistle Holiday Lets will respond to them.
Subject Access Requests (SAR)
All individuals are entitled to:
Ask what information the company holds about them and why
Ask how to gain access to it
Be informed about how we keep it up to date
Be informed about how Thistle Holiday Lets is meeting its data protection and privacy obligations
If an individual makes a request to receive this information, it is called a Subject Access Request (SAR). Thistle Holiday Lets will always verify the identity of the requester and no information will be sent out until that has been undertaken. Approved identity documents will be one that is photographic (national ID card, drivers licence or passport) and one current utility bill. SARS may be requested in any medium (verbally, email, physical letter) and Thistle Holiday Lets has a legal obligation to provide all information processed within 1 month of receiving the request. Ordinarily, there is no charge for this, however, if the SAR is significant in terms of size/complexity, Thistle Holiday Lets does reserve the right to apply an administration fee.
Please note, however, there may be certain circumstances where it is not possible to provide all SAR’s information (in line with the Law). If this is the case, the person will be fully informed.
Right to Rectification
If it is discovered that Thistle Holiday Lets is holding inaccurate or out of date Personal Data relating to an individual, that individual has the right to request that the Data is amended/rectified as quickly as possible.
Right to Erasure
Whilst an individual does have the right to request erasure of their data (also called the Right to be Forgotten) it is not an absolute right, as there are certain instances where their request cannot be accepted. The right can be fulfilled in the following circumstances:
The Personal Data is no longer required by Thistle Holiday Lets in relation to the purposes that originally applied
The individual has withdrawn their consent and there is no other legal basis for processing
The individual objects to Thistle Holiday Lets processing their data and there are no overriding legitimate grounds for continuing to process.
The Personal Data has been unlawfully processed
A legal obligation (e.g. a court order) requires the data to be erased
The data relates to a child and there is no parental consent
If the right to erasure is accepted Thistle Holiday Lets must take reasonable steps to destroy all data, including any that has been made public (e.g. photographs, video clips, etc) and any data that has been forwarded/shared with other agreed 3rd parties, including processors.
The right to erasure may not be accepted for legal or public safety reasons.
Right to Restriction of Processing
An individual has the right to restrict processing in the following instances:
The accuracy of the data is contested, and time is required to verify
The processing of the data is considered unlawful, but erasure isn’t an option
Thistle Holiday Lets no longer needs the data but it may be required to support a legal claim
The individual has objected to processing and verification is required to establish legitimate grounds
Right to Data Portability
The individual has the right to request all their Personal Data held by Thistle Holiday Lets receive it in a machine-readable format and request that it be transferred to another Data Controller. This is applicable when the data is processed by automated means only.
In certain circumstances, the Law allows Personal Data to be disclosed without the consent of the Data Subject.
Under these circumstances, Thistle Holiday Lets will disclose the requested data. However, the Data Controller/Data Protection Officer will ensure that the request is legitimate, seeking assistance from Legal Advisors or Regulators, as necessary.
Thistle Holiday Lets aims to ensure that individuals are aware that their Personal Data is being processed and that they understand:
A. What data is being processed
B. Why it is being processed
C. How the data will be used
D. How it will be stored
E. How to exercise their rights
To these ends, Thistle Holiday Lets has a Privacy Notice, setting out how data relating to individuals is used by us. This is available both electronically on our website and physically (paper copy) on request.
16.0 VERSION CONTROL
Version Date Details Author/Owner
1 11/06/18 First draft KB
Thistle House, Main Street, Golspie
Thistle Holiday Lets doesn’t just offer great holiday homes, it offers a guarantee that when the word ‘Scotland’ is spoken it will stir in you a memory, a smile, and a longing to return.