Who we are:
Byron Leisure Limited, Comp. No 04374831, registered at 36 Grizedale Road, Blackpool, United Kingdom, email: firstname.lastname@example.org
In a nutshell, this Policy is about building your trust in our business. When you give us your personal information online or otherwise, it is handled with great care; necessary steps are taken to store it safely and use exclusively in a legally approved way. Such information will in no event be disclosed to any third party, having your explicit consent. The only possible, though unlikely, instance of our files disclosure may be when the police or a law enforcement authority conducting an investigation obligates us to do so. Otherwise, any personal data will be treated in strict compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Directive 95/46/EC of the European Parliament and of the Council dated October 24th, 1995, on the Protection of Individuals with regard to the processing of personal data (PII (US) and on the free movement of such data) and other legislative acts that may be adopted later on.
The below Policy outlines our company approaches to dealing with the personal data pertaining to our clients or website visitors.
Collected Types of Information
The information our company collects concerns, to some extent, the personal aspects of its clients and website visitors. As a rule, this information includes usernames, membership IDs, e-mail and IP addresses, additional contact details, feedback comments, blog posts, photographs, payment data, including payment agent information, transaction details, applicable taxation information, help desk requests, forum entries as part of web analytics. Personal information from vacancy applications (such as CVs, filled-in application forms, cover letters, and job interview notes) is subject to collection as well.
Potential Risks When Protecting the Data
The purpose of this Policy is to enable the company avoiding the risks it may run, divided into three main classes:
Failing to offer choice
Damage to reputation
Data on Human Resources
Within the commonly accepted recruitment practices, we may use standard personal data in CVs, sourced online and from social media, when performing a proof of identity/address and a proof of qualification if deemed necessary. Once the vacancy is filled, all personal data on an unsuccessful job applicant is destroyed with the use of shredding equipment.
The information on current employees is duly stored in a safe at the company head office premises. Personal data belongs to the information we have to retain for legal purposes. Should such requirements no longer be valid, these records would be destroyed as above.
Although an overview of functional duties will be given further, here are the key duty holders:
The Board of Directors is a body whose ultimate responsibility is to make the company compliant with every data security requirement relevant to its business. Each Board member is seen as its representative from the legislative data protection perspective.
Data Protection Officer (DPO) is charged with the duty to keep the Board informed about changes in the data protection legislation and update the data protection guidelines within the company as well as to conduct trainings and handle employee queries on the subject. This position also deals with client requests to view the data retained on them – referred to as ‘subject access requests’; it also reviews agreements and contracts concluded with third parties that maintain or process all types of sensitive data which can be attributable to our company.
IT Department is to guarantee that any company information systems function as per the established data storage standards. Their job is to perform systematic checks and do due updates for the software and hardware to stay fully compliant. They are also tasked with the evaluation of third party suppliers of data depository services.
Marketing Department undertakes to review the statements on personal data protection contained in any communications. Their duties include addressing queries on data protection coming from various media sources and also assisting other staff members to stay compliant during the marketing initiatives implementation.
General Staff must be comprehensively trained to be capable of working in accordance with this Policy in their assigned roles. No access will be granted to any team members to the information regulated under the respective Policy unless they undergo the required training in full.
Personal Information Collection Ways
The collection of your personal information goes in three main directions: (I) you provide it to us directly; (II) you browse on our website or get redirected to it from other sources; (III) you make use of our services. The direct information provision is done by completing a registration form on the website, buying our products, subscribing to the company news and direct mailing, submitting feedback, joining a contest, participating in an opinion survey, or sending us a message. Also, you may share the data on you in person.
Other Sources of Personal Information
In the majority of cases, most personal data on the company customers and website visitors come directly from them. However, some personal data is derived from other sources, namely:
financial details coming from EU payment service providers used to process payment transactions;
third party companies (such as Facebook or Google) from the USA or the UK having your sign-in details and profiles used to connect, get linked, or enter your account. The information sent to us by them is of a different kind and typical to the service provider or as per the privacy management settings you made at the respective web resource;
our partners/agents who render you as their client the services purchased from us or on our behalf, whereby they share with us the personal information on you within the legal framework.
Storing the Data
All matters concerning the data storage are handled by the DPO or the IT Director within their competence.
Data that exists in the paper format is safeguarded in a location with the restricted access where only the employees needing access to it within their functional duties are allowed to enter. At all other times, the room remains electronically locked.
When files or documents are not processed, they are stored away in safe/lock protected areas.
The destruction of documents containing any sensitive, personally attributable information or pieces of communication by shredding is duly taken care of.
Electronic files are deposited with our external IT service providers, with further details as to how this information is treated to be shared upon request.
The internal policies designed to ensure that this data is duly handled by our employees are also in place.
Each employee is to check that the screen of a computer linked to the personal data depository is locked when the machine is left unattended.
No one is allowed to share personal data informally. During an electronic transfer, it is preliminarily encrypted as appropriate.
No transfer of personal data is permissible outside the European Economic Area, unless done upon a specific client’s request.
Retaining and Destroying the Data
As a rule, personal data media is not maintained longer than is necessary and is destroyed in due time. Any file types which are not actual, are archived in our storage area, retained for an appropriate period of time, and then disposed of. With no exceptions, such data carriers are securely destroyed. In all company departments, there is shredding equipment installed necessary to destroy records as appropriate.
How We Notify About Data Loss
In case of occurrence of a security breach or if a personal data is suspected to be compromised, any employees are to report it to the DPO and the Directors the soonest possible.
The security incident should also be brought to the notice of the respective authorities. The shortest timeframe for reporting is seven days after it and a notification has to be issued as early as the data loss confirmation is in place. The report should contain information on the incident nature, the extent of the compromise, and also the actions aimed to remedy the issue.
An individual who is involved in the incident should receive a notification of it within a seven-day term or once the data loss details are known. The notification should include a detailed explanation of the measures applied to correct the situation, including the actions potentially needed from the individual to prevent it from happening in the future.
Both the respective authorities and the individual suffering from the data loss should receive regular updates on the incident consequences elimination until the issue is resolved. The company is due maintaining the documentation which should be immediately available to all parties concerned upon request.
Standard Uses of Personal Information
First of all, your personal information is applied in the process of our fulfilment of the contractual obligations. In particular, placing an order or buying services or products from us, you make it possible to execute the transactions on our website. We also need your personal data in view of our lawful interests, including those of the third parties we cooperate with. These interests comprise the following:
running the website;
rendering the services shown on the website;
checking your ID during signing up on our website;
handling a customer support ticket as well as contributing to a dispute resolution;
sending you updates on the website functionality, e.g. its new features, operational improvements or security maintenance;
performing a technical analysis as to perfecting our website and rendering the services;
managing our customer relations through responding to the feedback or questions submitted via our website, by e-mail or other existing means of communication or following our invitation to clients to provide their comments or join an opinion survey;
attending to the matters related to running our operations and meeting legal requirements (i.e. reviewing the website contents and fighting fraud);
giving training to our staff members to provide the highest quality services to clients;
revamping our services and goods;
performing the general tasks of administrative and functional nature; and
processing the job application forms received from candidates.
Customer consent driven:
with the objective of product and services marketing by sending special offers which are likely to be of your interest; and
reacting to requests from public authorities, court of justice or law enforcement bodiesduring an investigation.
Recipients and Occasions of Personal Information Disclosure
Solely the following recipients will be rightfully accessing the personal information:
subcontractors or third party service providers involved in the processing of such information (see above) – all located in Europe: website hosting companies, customer support and technical services suppliers; marketing and analytical support providers; fraud prevention and security service agencies; payment processing companies. Please be informed that the said subcontractors and providers of services may be accessing and transferring this information to the countries outside Europe where they run their operations;
our company counsellors (e.g. legal and financial advisers, accounting professionals, etc.) coming from Europe;
regulatory and government bodies supervising our compliance and fulfilment of obligations;
buyers or potential purchasers, together with their professional advisers, interested in acquiring our company assets in whole or in part;
third parties involved in the investigation of alleged or suspected unlawful activities or as part of a criminal prosecution;
third parties assisting in exercising or protecting our rights or preventing any risks concerning our finances or reputation;
rights owners concerned about the infringement of their intellectual property rights or other ownership rights;
other possible personal data recipients as per an issued authorisation or a legal request for such actions to us.
Locations for Transferring and Storing Personal Data
Since our company headquarters are based in Europe, your personal data handling is Europe bound as well. Although, as said above, some personal data recipients may have their offices outside Europe, we make every effort to only cooperate with third-party providers we deem to be capable of complying with the commonly acceptable data management standards.
Secure Keeping of Personal Information
We engage the servers with high security levels belonging to our company or operated by our service providers for storing your personal data and on time creating hard copy backup files to be then kept at specially designated premises in Europe. The stored or transmitted personal details are protected by the means of such control mechanisms as a username check, password verification, a two-factor authentication, and an appropriate file encryption.
Ways of Accessing Customer’s Own Personal Information
With the intention of getting access to your own information or correcting any inaccuracies in it, we recommend referring to the contact details at this document bottom to make a due request.
Personal Data Uses in Marketing
Following your consent to be sent marketing-related messages from our company which is usually given when signing up to our direct mailing or checking the respective box, thus showing you are interested in special offers, you will be contacted with regard to our services and products considered as relevant to you resulting from our data analysis. You may refuse to receive such communications by just pressing the button for opting out available in every e-mail of such content.
Web Analytics and Usage of Cookies
Apart from a marketing choice, you can also express your choices as to cookies through making the respective browser settings, with the following three options available: (I) accept all; (II) get notified of a cookie set; (III) automatically reject them all. Choosing the last option, you should bear in mind that certain website features might not work as expected.
To get more information about cookies in general, please proceed to http://www.allaboutcookies.org.
At the time of each visit, certain information on a visitor is gathered. It is usually generalized and personally unidentifiable, partly consisting of your login details. The data that gets recorded during it is as follows:
IP address – yours or of proxy server;
entered domain name;
ISP name (its capturing is a function of the Internet connection configuration);
visit date and time;
pages been accessed;
monthly count of website visits;
viewed file URL and data pertaining to it;
redirecting referral website; and
OS type installed on your PC.
We as a company are not interested in collecting personal information on children aged below 18 years since our services are not intended for minors. So, persons that are less than 18 years old should not access our website or communicate their personal details to us. Parents or custodians carry responsibility for monitoring the Internet activities of the children in their ward.
Published and Shared Personal Information
Should it be your conscious decision to have the data on you publicly known, most definitely it is not in our power to control and we should not be held liable for how such data is used or abused. In performing the following activities, you may find yourself feeding your personal information to others: posting comments on publicly accessible forums, reposting certain content in social media, getting into contact with other Internet users, be it on our website or directly. Think it over prior to making your own personal data published or placing it at somebody’s disposal.
Retention Time of Personal Information
Certain amendments to this Policy are made in due time to keep it in line with the existing legislation and reflecting the latest developments in our privacy protection practices.
Contacting Us as to This Policy
To pose us the questions arising from the privacy management or your personal data applications, please turn to the contact information at the top of this document.
Our company acts as the ‘data controller’ with the reference to the laws on data protection and privacy governing in the territory of the EU, e.g. the aforementioned GDPR.
Possibilities of Personal Data Accessing
You are empowered to request transferring back your personal data, its deletion or refraining from its processing for specific purposes, inclusive those pertaining to our lawful interests, e.g. profiling and customer base segmentation for e-mail marketing. It is also in your power to revoke the authorisation given to us before.
Nonetheless, sometimes your right for objection might be restricted – e.g. when we are legally bound of keeping your personal records. There can be cases when we are still allowed to partly use your personal information even after the consent is withdrawn.
For certain purposes, the personal data must be provided mandatorily. If not made available, it will incapacitate us from fulfilling our obligations under the contract or the law. Where the accessibility of personal information has no effects on our customer relationships, such request is qualified as optional.