Welcome Break Privacy Notice
Our Privacy Policy
Our Privacy Policy
Welcome to the privacy policy of Welcome Break Limited (collectively referred to as Welcome Break/we/us/or in this privacy policy) for our websites at welcomebreak.co.uk and hotels.welcomebreak.co.uk/ (Sites).
Your privacy is very important to us, and we are committed to protecting your personal data.
Welcome Break is open and transparent about what we do with your information; we only keep what is necessary with a vision to provide you with a better service.
This policy is here to assist you in making informed decisions when using our Sites services, products and mobile app and aims to give you information on how we collect and process your personal data through your use of the Sites.
It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so, that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.
Purpose of this Privacy Policy
We want to offer you a real choice and control over your data and want to build your trust and engagement with us, so we designed this policy to tell you about how we process, store, disclose, collect, receive, and make use of your personal information, and how to request for your data to be removed.
We want to clarify that the website is here for those above the age of eighteen (18) and we do not knowingly collect data relating to children.
Also, we do not collect information about criminal convictions, employee data or about customers who wish to self-exclude from our adult gaming centres.
Data Controller
We are the controller and responsible for your personal data. We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about it, including any requests to exercise your legal rights, please contact our DPO using the details set out below.
DPO Contact email: dpo@welcomebreak.co.uk
Lawful basis for processing information
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- where we need to perform the contract, we are about to enter or have entered with you.
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- where we need to comply with a legal obligation.
Please go to the Glossary at the end of this policy to find out more about the types of lawful basis that we will rely on to process your personal data.
Generally, we do not rely on consent as a legal basis for processing your personal data, although we will get your consent before sending third party direct marketing communications to you via email or text message.
You can remove your consent at any time. Just send an email to dpo@welcomebreak.co.uk.
Purpose Limitation & Retention Period
Welcome Break Ltd (and any or all its holding or subsidiary companies) will store your personal data to provide you with details about our goods and services, for administration and customer services, for marketing, and to ensure that the content, services, and advertising that we offer are tailored to your needs and interests.
Purpose/Activity | Type of data | Lawful basis for processing including legitimate interests | |
---|---|---|---|
To register you as a new customer | (a) Identity
(b) Contact |
Performance of a contract with you | |
To process and deliver services, such as:
(a) Manage payments, fees and charges (b) Collect and recover money owed to us |
(a) Identity
(b) Contact (c) Financial (d) Transaction (e) Marketing and Communications |
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us) |
|
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey |
(a) Identity
(b) Contact (c) Profile (d) Marketing and Communications |
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) |
|
To enable you to partake in a prize draw, competition or complete a survey | (a) Identity
(b) Contact (c) Profile (d) Usage (e) Marketing and Communications |
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) |
|
To monitor access to our adult gaming centres to ensure that U18s do not access the areas, and identify those individuals that have asked us to monitor their attendance at our adult gaming centres and those who we know to be a threat to the safety of our customers, employees and property.
To carry out interventions in our adult gaming centres as we deem necessary. |
(a) Identity
(b) Contact
|
(a) Necessary to comply with a legal obligation
(b) Consent (c) Necessary for our legitimate interests (to ensure the safety of our customers, employees and property) |
|
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity
(b) Contact (c) Technical |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation |
|
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you | (a) Identity
(b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical |
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) | |
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences | (a) Technical
(b) Usage |
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) | |
To make suggestions and recommendations to you about goods or services that may be of interest to you | (a) Identity
(b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications |
Necessary for our legitimate interests (to develop our products/services and grow our business) for your benefit |
Welcome Break will only keep your information for a reasonable period for these purposes and those described in more detail below (under the heading Purposes for which we will use your personal data). We may need to share your information with our service providers and agents for these purposes. We may disclose personal data to comply with a legal or regulatory obligation. We may transfer the data that we collect from you to a destination outside of the United Kingdom (UK) and the European Economic Area (EEA). By submitting your personal data to us, you agree to this transfer, storing or processing. For further information about how we deal with your data when transferring it outside of the UK, please see the Glossary.
Purposes for which we will use your personal data.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful basis, depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis on which we are relying to process your personal data where more than one basis has been set out in the table below.
Marketing
We strive to provide you with choices regarding certain uses of personal data, particularly around marketing , advertising & newsletters etc. We have established a privacy centre where you can view and make certain decisions about your personal data by going to https://datapreferences.airship.co.uk/?a=welc currently hosted by Airship.
Promotional offers from us
We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.
Third-party marketing
We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.
Opting out
You can ask us or third parties to stop sending you marketing messages at any time by (1) logging into your account and checking or unchecking relevant boxes in our Privacy Centre to adjust your marketing preferences] (2) by following the opt-out links on any marketing message sent to you or (3) by contacting us at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us because of purchasing service from us (e.g., the sending of an order or booking confirmation) or other related transactions.
Use of Google Ad Services
We use a number of Google products to serve internet advertising when people carry out searches using Google's search engine. We do not process any personal data about you, but rather use the Google products to serve adverts on users that meet certain criteria (for example when a user is searching for a hotel in a particular area for that night). We receive information on whether a recipient of the advert went on to make a booking with us, but we can't identify you as an individual from the information that we collect. Third party cookies (or similar technologies such as web beacons) may be deployed as a result of this service. Please see our Cookie Policy [Cookie Policy - Welcome Break for more information about our use of cookies.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
What personal information do we collect?
In general, when you (User) visit our web sites and access information, you remain anonymous. Before we ask you for information, we will explain how this information will be used. We will not provide (and will never sell) any of your personal information to other companies or individuals without your consent.
There are occasions where we will ask for additional information. We do this to be able to better understand your needs and provide you with services that we believe may be valuable to you.
When you visit one of our Sites, you may provide us with two types of information:
- personal Information you provide to us on an individual basis.
- website usage information collected as you and others browse our website.
The type of data collected, stored, used, and transferred may be the following:
- Identity Data: personal details and vehicle identity data (e.g. car registration number).
- Contact Data: includes billing address, emails address and telephone number(s).
- Usage Data: such as location
- Profile Data: such as username and password
- Financial Data: includes bank account and payment card details, which may be used for the purposes of transaction analysis only.
- Transaction Data: includes details about payments to and from you and other details of products and services you have purchased from us.
- Marketing and Communications Data such as marketing and communication preferences in respect of third parties
- Technical Data: internet protocol (IP) address, browser, log in data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Sites.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Some of the data captured above will constitute personal data, as defined under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA) and which we shall refer to below as Data from now on.
We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
Special Category Data
We do not intentionally collect any details about your race or ethnicity, health and genetic data, religious or philosophical beliefs, sexual preferences, political group participation, trade union membership or criminal record.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you at the time if this is the case.
Your consent
By using our Sites, you consent to our collection and use of your Information as described in this privacy policy. If we change our privacy policy or any related procedures, we will post those changes on our Sites to keep you aware of them.
Facial Recognition Technology at our Adult Gaming Area at Welcome Break Sites
We use facial recognition system in the adult gaming centres at our sites to help evaluate the age of customers, We do not allow children (U18s) within this area and employees are notified if a child is using the area so that they can be removed. Any facial images taken by a camera dedicated to facial recognition and analysed are not stored by us. The facial recognition system is also used to identify individuals that have asked us to monitor their attendance at our adult gaming centres and those who we know to be a threat to the safety of our customers, employees and our property. Any facial images taken by a camera dedicated to facial recognition are only analysed for a few moments, they do not get stored and are not used by Welcome Break for any other purposes other than those set out above.
Interventions at our Adult Gaming Area at Welcome Break Sites
In accordance with our obligations under the Gambling Commission's Licence Conditions and Codes of Practice, we are required to intervene have a number of obligations
If you have chosen to self-exclude from our adult gaming centres, we may also use the vehicle registration number that you provide to us as part of the self-exclusion signup process to notify us that you may be on site to help us ensure that we are efficiently carrying out any intervention that you have requested from us. This information will be shared with us by Parkingeye, who manage our car parks for us.
We may also use anonymous analytics information from our gaming machines to establish whether we (at our discretion) ask whether the user of a particular machine needs a break from using our machines. The information collected is linked to a session on a gaming machine and we can only identify you as the player at that machine at the time that one of our employees enters the adult gaming centre. We do not link any of the information about a session on our gaming machines to identify you for any other purpose and we don't keep a record that any individual was playing during a particular session, only that an intervention took place.
Use of Heat Mapping and Age and Gender Recognition Technology
We use technology at our service station sites to help count the number of visitors to our sites and to gain greater insight about how our visitors interact with and move around our sites. We use technology to analyse a blurred overlay of the CCTV (which you can't be identified from) on our sites. This technology tracks visitor movement to provide anonymised statistical heat mapping of where our visitors have been on our sites based on demographic information that is estimated by the technology (age and gender). This statistical information helps us identify trends and adapt our sites to improve visitor experience. The technology can't be used to track any specific individual and only provides us with general statistics about out visitor base as a whole. All of the data collected is completely anonymous and as a result your personal data is not processed. All demographic information is estimated, is not linked to you as an individual, and is used simply to help us identify trends within the anonymous data.
Circumstances where data collection takes place:
Your personal data is collected by us in the following circumstances:
- when you provide your personal details to use our Wi-Fi network, make a booking, send us emails, purchase products or services, use our parking, stay at out hotels, participate at promotions, sign up to marketing emails, newsletters, take part in customer surveys, give feedback, order items, contact us via telephone, request information, interact with us to supply services, or open an account for making purchases from us, and/or make a purchase using credit or debit card;
- when you visit our sites, a CCTV image is recorded at the forecourt, hotel lobby, petrol station, certain HGV car parks and drive through areas and your vehicle registration number is also recorded by a third party which looks after our car park. Their ANPR (automatic number plate recognition) system will capture your vehicle registration number automatically as you enter and exit the sites.
- if you require medical assistance, suffer an accident or loss, need urgent care or police support.
- when you access our Sites and/or app or interact with us on social media platforms.
- if your information is shared with us by a third party such as booking.com or expedia.com.
- if you are not happy about our services and make a complaint or ask a third party to act or on your behalf to investigate an incident.
Third parties or publicly available sources. We will also receive Data about you from various third parties and public sources as set out below:
- Identity, Contact and Transaction Data when you make a reservation for a hotel that we operate. We receive the data from the third parties that manage reservations for the hotels that we operate. For example, if you book a Wyndham hotel (either with Wyndham directly or on a hotel booking site) that we operate on behalf of Wyndham, we will be provided with data about you by the organisation that you booked with to allow us to fulfil and manage your reservation.
- Technical Data from the following parties:
(i) analytics providers such as Google based outside the UK (see further below)
(ii) advertising networks based inside or outside the UK
(iii) search information providers based inside or outside the UK
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services
- Identity and Contact Data from data brokers or aggregators based inside and outside the UK
- Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the UK.
The above is not intended to be an exhaustive list of when your personal data is recorded but aims to give several common situations in which it can occur.
Data Security
We maintain the highest standards of security. However, the transmission of information via the internet is not completely secure. Whilst we will do our best to protect your Information, we cannot ensure the security of your data transmitted to our Sites. Any information you submit is sent at your own risk. Once we have received your Information, we will use strict procedures and security features to prevent unauthorised access.
Our system is regularly scanned for vulnerabilities by our IT consultants. We use data encryption/redaction and various other security measures and features to keep your data safe, as well as multi-factor authentication for data transfers. Please see the Glossary and our Data Security Policy for further information.
Cookies
Cookies are an essential part of the Internet, if they weren’t around, webpages would be a lot less useful and interactive. For information about our use of cookies and how to manage them, please see our Cookie Policy - Welcome Break
Like other commercial websites, our Sites use a technology called “cookies” (see further below) and web server logs to collect information about how our Sites are used. Information gathered through cookies and web server logs may include the date and time of your visit, the page(s) viewed, time spent, and the websites visited just before and just after visiting one of our Sites.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.
How do we use the information we collect from cookies?
As you browse one of our Site(s), it uses cookies to differentiate you from other users to prevent you from seeing unnecessary advertisements. Cookies, in conjunction with our web server’s log files, allow us to calculate the aggregate number of people visiting our website and which parts of the website are most popular. This helps us gather feedback so that we can improve our website and better serve our customers. Cookies do not allow us to gather any personal Information about you and we do not generally store any personal Information that you provided to us in your cookies.
To manage cookies, you may:
- Allow all cookies.
- Delete or block all cookies.
- Open a ‘private browsing’ / ‘incognito’ session.
- Block ‘third-party’ cookies.
- Clear all cookies when the browser gets closed.
- Install add-ons and plugins to extend browser functionality.
Mode and place of processing Data
Methods of processing: as Data Controller, we process Data in a proper manner and take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of Data. Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In some instances,
Access to Data: Data may be accessible by persons involved in the operation of the site (such as administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as data processors by the Owner. An updated list of these third parties may be requested from the Data Controller at any time.
Place of Processing: Data is processed at the Data Controller’s offices and in any other places where the parties involved with processing of Data are located. For further information, please contact the Data Controller.
Use of collected Data.
Data concerning Users is collected to allow the Owner to provide its services, as well as for the following purposes: Analytics and Contacting the User. Data used for each purpose is outlined in the specific sections of this document.
(1) Analytics
The services mentioned in this section enable us to monitor and analyse web traffic and can be used to keep track of User behaviour.
Google Analytics (Google Inc.): Google Analytics is a web analysis service provided by Google Inc. (Google). Google utilizes the Data collected to track and examine use of our Sites and to prepare reports on its activities. Google may use the Data collected to contextualise and personalise the ads of its own advertising network.
Personal Data collected by Google: cookies and usage data.
Place of processing: United States. For details of how Google processes your data, please see its. If you do not wish your Data to be used by Google Analytics, you can opt out of this by installing the Google Analytics Opt-out Browser Add-on by clicking here.
Contacting the User
Contact form: By filling in the contact form with their Data, the User agrees to the use of these details to reply to requests for information, complaints, feedback, or any other kind of request as indicated by the form’s header.
Personal Data collected: email address, first name and last name, phone number, additional information added by user, including locations visited and times of visits.
Interaction with external social networks and platforms: Facebook Like and share buttons including social widget, Twitter Tweet button including social widget.
Personal Data: Cookies and Usage Data
Journey Planner: The journey planner allows the user to enter from and to points for planning a journey or location (postcode, town, or city). No entered user data is stored by the application.
Property Management System
Guestline UK hosts the property management system on behalf of Welcome Break Holdings Ltd and holds all user personal data within their systems.
Personal Data: email address, first and last name, telephone number, address, and payment details.
Place of processing: UK – see Guestline’s Data Policy and Privacy Policy
Links: We link to a wide variety of other sites. We are not responsible for the content or privacy policies of these sites, or for the way in which information about their users is treated. Unless expressly stated, we are not agents for these sites, nor are we authorised to make representations on their behalf.
System logs and maintenance: For operation and maintenance purposes, our Sites and any third-party services may collect files that record interaction with our Sites (system logs) or use for this purpose other personal data, such as an IP address.
Protecting your rights
You are entitled to ask for a copy of the information we hold about you and to have any inaccuracies in your information corrected. If your personal details change or you change your mind about any of your marketing preferences, please get in touch if you have any questions about how we use your information or how to change your marketing preferences if you are having difficulty doing so.
Your Legal Rights
Right of access – You have the right to ask us for a copy of your personal information.
Request rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Request erasure – You have the right to ask us to erase your personal information in certain circumstances. For details of how long we retain your personal data for, please see the Glossary (under the heading ‘Data retention’)
Restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Object to processing – You have the right to object to the processing of your personal information in certain circumstances.
Data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
Withdrawal of consent at any time - Where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You are not required to pay any charge for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances. If you make a request, we have one month to respond to you, and apply for an extension of further two months in certain circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Third Parties
We may disclose your Data to the following third parties as part of processing:
- Internal Third Parties as set out in the
- External Third Parties as set out in the
- Specific third parties listed in the table under the heading Purposes for which we will use your personal data
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
In relation to the above organisations, you can:
- Object to processing of your personal data, request restriction of processing, erasure, correction, access to the information on file
- Withdraw consent to future collection of data.
Third-party links
Our Sites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave one of our Sites, we encourage you to read the privacy policy of every website you visit.
Our Sites may, from time to time, include videos providing information about our services or containing other promotional material. These videos are available on YouTube and are made available on our Sites by our use of the YouTube API Service. When you click on these YouTube videos, you:
- agree to be bound by the YouTube terms of service which can be found here - (https://www.youtube.com/t/terms); and
- you acknowledge that your personal data will be processed by YouTube in accordance with Google's privacy policy which can be found here - http://www.google.com/policies/privacy.
If you wish to exercise any of the rights set out above, please contact us.
Complaints – Please contact us first so that we can make it right again – Contact email: dpo@welcomebreak.co.uk
Contact & Further Information
It is our job to assist you make the best choices. If you have any queries about how we use your information, please get in touch.
Welcome Break Head Office:
Welcome Break Ltd
2 Vantage Court,
Tickford Street,
Newport Pagnell,
MK16 9EZ
Contact email: dpo@welcomebreak.co.uk
If you require more information, and you cannot find it here, or if you are not happy with the service, we provided to you:
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Policy Review Information
We do our best to keep our policies up to date and review it regularly. This is version number 3 from February 2023. Written by The Welcome Break Data Protection Team based at our Head Office.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
GLOSSARY
Lawful Basis
Legitimate Interests means the interests of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
Third Parties
Internal Third Parties
Other companies in our Group, acting as joint controllers or processors and who are based in in the United Kingdom and provide IT and system administration services and undertake leadership reporting.
External Third Parties
- HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
- Medical and emergency service providers where your vital interests (as defined in the UK GDPR) are at risk.
- Not-for-profit bodies, for example, gaming charities, where support is requested by you.
- Health, social care, and public health authorities (for example, for Covid testing)
- Local authorities, police, and law enforcement agencies
- Insurance companies
- Staff members who process CCTV requests and redaction tasks
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in the United Kingdom who provide services.
- Other third-party data processors who may process data on our behalf with an appropriate data processing agreement in place.
International Transfers
Some of our external third parties may be based outside the UK, so their processing of your personal data will involve a transfer of data outside the UK. Whenever we transfer your personal data out of the UK, we aim to afford a similar degree of protection to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
- where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which we collected it, including satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
By law we must keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
In some circumstances, you can ask us to delete your data: see under the heading ‘Your Legal Rights’ above for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Updated October 2023