This document, in conjunction with our standard Terms and Conditions, sets out the basis upon which any personal data we hold about you will be processed.
The rules on processing personal data are set out in The General Data Protection Regulations (a copy of which can be found on the ICO website www.ico.org.uk)
Who we are
What information do we collect and how do we collect it?
We only collect basic personal information about you which you have provided to us. This data is your name, address, email, phone number and any other contact information you have provided to us. We do not collect special category of data about you. We will ensure that we only process data which is adequate, relevant to our purposes and limited to what is necessary for those purposes – we will not ask for more information than we need in order to carry out our business operations.
How we collect data
- When you provide it to us through the use of our website; when you make an enquiry, sign up to any newsletters or promotions, make a booking via our website through the booking system or any other booking platform.
- Through the use of our website using cookies.
- By contacting us by phone and providing us with your information.
- By contacting us via email, any other social media site or platform, or messaging system.
- From any third party sources instructed by you to properly share information with us in accordance with data protection regulations.
What information may we collect
- Data that you provide by making an enquiry, booking or subscribing to any future communication and staying at Rock & Castle Escapes. As well as your name and contact details, this may include information about your stay, your pricing and availability and any additional details you provide to us.
- Details of any accommodation booking made via the Rock & Castle Escapes forms, including guest names and addresses, holiday dates, the date and time the booking was made, how the payment was made and the correspondence between ourselves and our guests.
- Information you provide to us in order to answer or respond to an enquiry you make via a telephone conversation, email enquiry or any other messaging service or social media platform. A record of the correspondence may be kept.
Information relating to your visit to the www.rockandcastle.co.uk website
- Which may include your IP address, location data, information about the device you are using to access the site, what pages you have viewed and at what time you viewed them.
- Cookies are small text files that are typically created when you visit a website and are stored in the cookie directory on your computer.
- There are two types of cookie; Persistent and session specific. Persistent cookies are used to collect data about how the site is being used.
- We also use Google Analytics to track who is using our site.
- We collect information only where necessary for the provision of our services to you.
- You have control over what cookies to accept by changing the settings on your browser to either accept or reject all cookies, or notify you when a cookie is set. Further information can be found at: www.allaboutcookies.org
How and why we use your data
We will use your personal data:
- To communicate with you.
- To fulfil our contractual obligations.
- To notify you about updates and changes to Rock & Castle Escapes service.
- To provide services to you in connection with our business.
- To fulfil our legal obligations.
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in Scotland, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer/visitor of Rock & Castle Escapes you will be asked to provide some basic information and contact details. The following information will be collected:
- the names of all customers or visitors
- a contact phone number for each customer or visitor
- date of visit and arrival time and departure time
We will be responsible for compliance with data protection legislation for the period of time we hold the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the venue/establishment, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer at Rock & Castle Escapes reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, address and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) – a legal obligation to which we as a venue/establishment are subject to. The legal obligation to which we’re subject, means that we’re mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of corona virus.
By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you.
You have the right to request that we erase personal data about you that we hold (although this is not an absolute right).
You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances.
You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute).
Our lawful basis for processing your data
We will process your data on the following basis:
- Where it is necessary for us to comply with a legal obligation
- Where it is necessary for us to process your data for the performance of our contract with you, and
- Where it is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights or freedoms.
Securing your data
We take appropriate and proportionate organisational and technical measures to secure your personal data and to protect it against unlawful use and/or accidental loss. We have procedures for the storage and disclosure of your personal data in place to oversee the effective and secure processing of the data.
Sharing your information
We will only disclose your data to the extent it is necessary to run our business. We will only share your data with third parties or allow access to your data where:
- We are legally required to do so or to enforce our own legal rights.
- We are required to do so to enable us to properly perform your booking with us, as explained in our Terms and conditions and at the time of your booking.
By booking directly with Rock & Castle Escapes, your personal data and information will be stored via our booking platform. If you choose to use a third party booking platform, we may pass your personal data to these platforms (please refer to their own privacy policies). We may also share your information with anyone you have authorised to deal with us on your behalf.
How long do we keep your information for?
We will not keep your personal information any longer than is necessary for the purpose for which it was provided unless we are required by law or have other legitimate reason to keep it for longer.
Specific retention periods:
- Rock & Castle Escapes guests that have booked accommodation:
We retain your personal data pertaining to your stay and level of service history for a period of 7 years in order to fulfil our legal obligations to retain records for tax authorities. This will contain booking detail information and your personal details that you have provided to us at the time of your booking.
- Enquiries via letter, email, telephone or third party platforms:
We may retain this information for a period of 36 months.
What are your rights?
You have the right to request a copy of the personal data we hold about you and if it is incorrect or out of date to have it corrected or deleted. Provision of this information is subject to you providing us with appropriate evidence of your identity.
The right to request your personal data is erased where it is no longer necessary to retain such data. In most cases consent is not required for standard business activities involving the use of customer or supplied data but if we have asked you for your consent to our processing any personal data we hold about you, then under data protection law you have the right to change or withdraw your consent.
How to make a complaint
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated – please contact us.
Rock & Castle Escapes is the trading name of Rock & Castle Limited.
Please address correspondence to:
The Data Controller
Rock & Castle Escapes,
East Lothian, EH39 5PW.
If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commission’s Office on 0303 123 113 or by post to the ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or via email https://ico.org.uk