INTRODUCTION AND DEFINITIONS
ArtsAbroad Limited ("we", "our" and "us") is committed to protecting and respecting your privacy.
This notice (and any other documents referred to in it) set out the basis on which any personal data, which we collect about you, that you provide to us or that we have received from a third party source, will be processed by us.
References in this notice to "data protection law" mean (as applicable) the Data Protection Act 1998 (and subsequent legislation), the General Data Protection Regulation (Regulation (EU) 2016/679) and all related data protection legislation having effect in the United Kingdom from time to time.
References in this notice to "data or "information" include "sensitive personal data" and "special categories of data" (as defined under data protection law) where applicable.
1 OUR DETAILS
The data controller with conduct of your personal information is ArtsAbroad Limited of 22 RUTLAND STREET, LONDON, SW7 1EF Company No. 07899968.
Our data protection officer is Alexander Witcomb at ArtsAbroad and he can be contacted at the above address or on awitcomb@Artsabroad.co.uk.
2 HOW WE USE YOUR INFORMATION
2.1 The following sections explain what information we hold about you, why we are processing that information, the legal basis for the processing, the duration for which we keep your information and (if applicable) who your information will be shared with and where those recipients are based.
Which information do we process and for what purpose?
2.2 We process the following information from you:
2.2.1 Information you give us.
As a user of our website: This is information about you that you give us by filling in forms on our site. It includes information you provide when you register to use our site, request marketing information and when you report a problem with our site. The personal data within this information you give us may include your name and email address. It may also include any personal information that you have included within your message to us.
As a client ( or a potential client) making enquiries
2.2.2 This is information that you give us when you become a client of ArtsAbroad or when you make an enquiry. It will include Full names, Address, Email address, Telephone Number, Mobile number, Date of Birth, Passport Number, Passport Expiry, Country of Passport Issue, Nationality, Payment details (cheque / bank transfer / credit card details).
2.2.3 If you have any medical conditions or other disability that we need to be aware of during the tour, we will also process this special category of personal data.
As any other third party
2.2.4 In respect of other third parties whose personal data we might collect, such as a contact of any hotel or other business supplier that we contract with, this may usually be your name, email address, job title, phone number and possibly your home address or work address.
As an employee or Job applicant of ArtsAbroad Estates Limited
2.2.5 If you are an employee of ours or are applying for a job, please refer to our employee privacy notice or our candidate privacy notice.
2.2.6 In respect of all categories of data subjects above, we process information you give to us for the following purposes:
184.108.40.206 to arrange for your participation on the tour that you have booked or indicated an interest in. This includes (but is not limited to) booking travel and accommodation, entrance to museums and galleries on the tour, dealing with international travel agents and hotels, insurance issues;
220.127.116.11 to manage your account with us;
18.104.22.168 to instruct you to carry out services on our behalf;
22.214.171.124 to carry out your employment with us;
126.96.36.199 to notify you about similar tours that might be of interest to you; and
188.8.131.52 to notify you about changes to any tour that you have booked on, or indicated an interest in.
2.2.7 We process information we collect about you for the following purposes:
184.108.40.206 to allow us to administer the account you hold with us;
220.127.116.11 to improve our services;
18.104.22.168 to ensure that content from our site is presented in the most effective manner for you and for your device; and
22.214.171.124 to measure or understand the effectiveness of advertising we serve to you and others, and possibly to deliver relevant advertising to you on our site.
What are the grounds for processing your information?
2.3 We are processing your data on the following grounds:
2.3.1 Where you are a private individual, the processing is necessary for the performance of the contract between you and us. This includes where you have instructed us to take some pre-contractual steps (such as providing you with a quotation) prior to us formalising the contract;
2.3.2 where you are a named contact for a corporate client, supplier or contractor or other third party contact, because we have a legitimate interest in communicating with you to arrange and/or administer the performance of the contract between us and your employer or principal. In accordance with our obligations under data protection law, we have carefully weighed up your interests and fundamental rights and freedoms against our interest to process your information and we are satisfied that we are justified in processing your information for this purpose;
2.3.3 the processing is necessary for us to comply with our legal obligations;
2.3.4 the processing is necessary to protect your vital interests or the vital interests of another person.
Duration and further processing
2.4 We only keep your information for so long as it is reasonably necessary. When setting our data retention periods, we consider the amount, nature, and sensitivity of the information we hold, the potential risk of harm from unauthorised use or disclosure of the information and the purposes for which we process the information (including whether we can achieve those purposes by other means). We also take into account our other legal obligations to keep or securely dispose of personal information.
2.5 Generally speaking, we retain your information for the following periods of time:
2.5.1 In respect of information collected through our website and from any potential clients making enquiries- 10 years;
2.5.2 Personal Data relating to customer complaints - 10 years;
2.5.3 Personal Data relating to new and existing customers - 8 years;
2.5.4 Personal Data relating to suppliers, agents or other third parties - as required taking into account the considerations above.
2.6 There may be instances where we need to keep your information for a longer period then we will notify you of the reason and grounds for doing so. This may be the case, for example where for example, a dispute arises in respect of the contractual relationship between us.
Who is your information shared with?
2.7 Your personal information is not shared with anyone except where we are required to do so to comply with the law, to protect our rights and operate our usual business practices, or to improve and expand our products and services. Further details are given in the rest of this clause.
2.8 In order to achieve the purpose(s) set out in section 2.3 above, we may share your data with the following people or group of people:
2.8.1 Airlines, travel companies, train and rail providers, coach companies and other forms of travel companies.
2.8.2 Hotels and other third parties offering accommodation during the tour;
2.8.3 Insurance companies providing insurance cover for our tour;
2.8.4 Customs and board control where we cross international borders;
2.8.5 Our outsourced IT providers may have access to your personal data on our IT systems if such access is required to enable them to resolve problems with our systems. In certain circumstances they may require access to unencrypted data, for example when we need to troubleshoot an issue with your account on our computer system. Our IT providers are subject to strict contractual obligations to treat your personal information with the utmost sensitivity, to keep it confidential and to comply with data protection law at all times.
2.8.6 Our legal advisers, our insurers or other professional advisers, if necessary to defend claims, protect our rights, or receive advice on compliance with the law. Such transfers will be protected by confidentiality obligations owed by our advisers.
2.8.7 Regulatory or other statutory or other government body with whom we are required to share personal data.
2.8.8 Potential purchasers of our business, subject to those persons entering into strict confidentiality obligations with us and only to the extent permissible under data protection law.
2.9 We may share non-personal information with sub-contractors engaged by us to help us operate our site, and to analytics and search engine providers that assist us in the improvement and optimisation of our site.
2.10 Your personal data will be transferred outside of the UK, within the European Economic Area or to any country which is not approved by the European Commission depending on the final destination of the tour that you have booked onto. We will ensure that there are adequate safeguards with regard to the protection of your personal data in one of the following ways as appropriate:
2.10.1 Transfers to a third country within the EEA are authorised by the EU commission;
2.10.2 Transfers to a third country which is approved by the EU commission are authorised by the EU commission;
2.10.3 Transfers to a third country which is not approved by the EU commission shall take place under Article 49(1)(b) of the GDPR which permits transfers of personal data which are necessary for the performance of the contract between us and you. This covers international transfers for the purposes set out above.
2.11 Please note that your personal information is also stored in DropBox whose servers are located in the USA. DropBox has signed up to the EU/US Privacy Shield which ensures that adequate safeguards are in place with regard to such transfers of personal data.
2.12 Automated decision making
2.13 We do not make automated decisions about you based on your information.
3 YOUR RIGHTS
3.1 Under data protection law you have the following rights:
3.1.1 the right to access a copy of your information which we hold. This is called a 'subject access request'. Additional details on how to exercise this right are set out in section 4, below;
3.1.2 the right to prevent us processing your information for direct marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by contacting us using the details set out in section 7, below;
3.1.3 the right to object to us processing your personal information in certain other situations;
3.1.4 the right, in certain circumstances, to have your information rectified, blocked, erased or destroyed if it is inaccurate; and
3.1.5 the right, in certain circumstances, to claim compensation for damages caused by us breaching data protection law.
3.2 From 25 May 2018 you will have the following additional rights under data protection law:
3.2.1 enhanced rights to request that we erase, rectify, cease processing and/or delete your information; and
3.2.2 in certain circumstances, the right to request the information we hold on you in a machine readable format so that you can transfer it to other services. This right is called 'data portability'. Additional details on how to exercise this right are set out in section 4, below.
3.3 You also have the general right to complain to us (in the first instance) and to the Information Commissioner's Office (if you are not satisfied by our response) if you have any concerns about how we hold and process your information. Our contact details are set out in section 7, below. The Information Commissioner's Office website is www.ico.org.uk.
3.4 For further information on your rights under data protection law and how to exercise them, you can contact Citizens Advice Bureau (www.citizensadvice.org.uk) or the Information Commissioner's Office (www.ico.org.uk).
4 ACCESS TO INFORMATION
4.1 Under data protection law you can exercise your right of access by making a written request to receive copies of some of the information we hold on you. You must send us proof of your identity, or proof of authority if making the request on behalf of someone else, before we can supply the information to you. Requests should be sent to us using the contact details in section 7 below.
4.2 From 25 May 2018 you will:
4.2.1 no longer have to pay a £10 fee unless you are requesting copies of documents you already possess, in which case we may charge our reasonable administrative costs. We will also be allowed to charge you for our reasonable administrative costs in collating and providing you with details of the requested information which we hold about you if your request is clearly unfounded or excessive. In very limited circumstances, we are also entitled to refuse to comply with your request if it is particularly onerous; and
4.2.2 in certain circumstances, be entitled to receive the information in a structured, commonly used and machine readable form.
5 DATA SECURITY
5.1 We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our site or otherwise to our servers (such as by email). Any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
5.2 We ensure that our systems are encrypted and ensure that our passwords have an appropriate level of security.
6 CHANGES TO OUR PRIVACY NOTICE
This notice was last updated on 25 May 2018. Any material changes we may make to our privacy notice in the future will be uploaded to our website. Please check back frequently to see any updates or changes to our privacy notice.
Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to Alexander Witcomb by email to awitcomb@ArtsAbroad.co.uk