Last Updates: 12th December 2023
Aimbridge Hospitality EMEA (“Aimbridge“, “we” or “us“) respects your right to privacy. This Privacy Notice explains who we are, how we collect, share and use personal information about guests staying at our hotels (“guest“, “you“), and how you can exercise your privacy rights. If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice.
What does Aimbridge do?
Aimbridge offers a complete suite of hotel management services with a team of hospitality professionals, providing hotel owners and developers with personalised attention and a focus on top line revenues and bottom line profits, every single day, at each and every hotel we operate. Our world-class management platform offers industry leading systems and solutions, experienced professionals, depth of resources, and valuable relationships with major global hotel brands.
For more information about Aimbridge, please see the “About Us” section of our website at https://aimbridgeemea.com/about/ .
What personal information does Aimbridge collect and why?
The personal information that we may collect about you broadly falls into the following categories:
- Information that you provide voluntarily
We ask you to provide certain information voluntarily. The types of information we ask you to provide, and the reasons why we ask you to provide it, include your contact details in order to make a reservation, book or purchase one of our services, subscribe to marketing communications from us, and to submit enquiries to us.
We will also ask you to provide your credit card details so that we can charge you for any purchases that you make during your stay at the hotel. We will also collect your hotel loyalty card number so that we can communicate with the hotel to ensure that you collect points for your stay at the hotel.
If we ask you to provide any other personal information not described above, then the personal information we will ask you to provide, and the reasons why we ask you to provide it, will be made clear to you at the point we collect your personal information.
- Information that we collect automatically
We may also collect certain information automatically from your device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.
Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our website, including the pages accessed and links clicked.
Collecting this information enables us to better understand the visitors who come to our website, where they come from, and what content on our website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our website to our visitors.
Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Cookies and similar tracking technology” below.
- Information that we obtain from third party sources
From time to time, we may receive personal information about you from third party sources (including travel agents that have made a booking on your behalf), but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.
The types of information we collect from third parties include your name, address, email, credit card rewards number and stay history. We use the information we receive from these third parties to honour your reservation.
Who does Aimbridge share my personal information with?
We may disclose your personal information to the following categories of recipients:
- to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information;
- to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
- to any other person with your consent to the disclosure.
Legal basis for processing personal information (EEA visitors only)
If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.
Cookies and similar tracking technology
We use cookies and similar tracking technology (collectively, “Cookies”) to collect and use personal information about you, including to serve interest-based advertising. For further information about the types of Cookies we use, why, and how you can control Cookies, please see our Cookie Notice.
How does Aimbridge keep my personal information secure?
We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information.
International data transfers
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
Specifically, our servers are located around the world, and our group companies and third party service providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice.
Data retention
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Your data protection rights
You have the following data protection rights:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below.
- In addition, if you are a resident of the European Union, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “How to contact us” heading below.
- Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.)
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
How to contact us
If you have any questions or concerns about our use of your personal information, please contact us using the following details: To contact us regarding our privacy policy, please email privacy.emea@aimbridge.com or for all Data Subject Requests please click here.
Corus Hotels
General Data Protection Rules Compliance Framework Guide
GDPR Portal:
- GDPR Governance Statement
- Data Privacy Policy
- Legal Basis for Processing Personal Data
- Data Processing & Retention of Personal Data
- Guests Access Rights
Essential Q&A on Corus Hotels’ GDPR Compliance:
- GDPR Compliant Standard Operating Procedure
- GDPR Human Resources
- GDPR Front of House
- GDPR Housekeeping
- GDPR Food & Beverage
- GDPR Guest Relation, Reservation, Meeting & Events, Sales Office
- GDPR Accounts / Payroll
- GDPR Marketing
- GDPR Leisure Clubs
- The Regency Hotel Solihull Leisure Club
- Burnham Beeches Hotel Leisure Club
- GDPR CCTV
Supplier GDPR Policies
Corus Hotel GDPR Training Records
Corus Hotels – Legal Basis for Processing Personal Data
Corporate and Commercial Individual Data
Corus Hotels (“we”, “us”, “our”) makes a distinction between corporate and commercial data of individuals and their corporate and commercial emails and that of personal data and emails. Corporate and commercial data, including individual corporate and commercial emails, are retained on the basis of legitimate interest to facilitate the ordinary of our business and commercial relationships and transactions and business needs in the course of business dealings. Individuals with corporate or commercial emails may at any time write to the Data Processing Officer at DPO@thebelsfieldhotel.com to remove retention of their data. This can result in Corus Hotels no longer being able to communicate or transact with any such individual and may request a company or body corporate dealing with us to nominate another person expressly willing to receive communication and their corporate and commercial individual data to be retained in the course of business dealings subject always to the person’s individual rights as set out herein. It shall be the responsibility of each company or body corporate to establish the express consent of persons acting on their behalf.
Corus Hotels have set out herein the Legal Basis for Processing Personal Data Customer data. Circumstances where legitimate business interest might apply has been set out below for your reference.
The Legal Basis for Corus Hotels Ltd (collectively referred to as “Hotel”) for processing and/or retaining Personal Data subject to the Data Protection, 1998 and the European General Data Protection Rules (“GDPR”) are:
- the hotel shall require from all parties who handles its personal data a statement that such data will be process or retained outside the European Union and that the Hotel’s express written consent must be sought for any such processing on the basis of express consent by the Client or on the basis of a clearly evidenced legitimate interest usually necessary to enable the Hotel in the performance of its contractual obligations or to comply with any legal obligations enforceable in the Courts of England and Wales;
- the Client in booking for stay and/or use of the hotel’s facilities consent to the processing of his or her personal data to enable the Hotel to fulfil the Client’s needs and requirements during the Clients stay at the Hotel and/or use of the Hotel’s facilities;
- the Employee’s personal data shall be retained on the basis of legitimate interest for a period on 7 years after the Employee leaves the employment of Corus Hotels Ltd. The Client may refer to the Hotel’s Data Privacy Policy weblink on (Please see: Data Processing & Retention of Personal Data on our GDPR Portal)
- the Hotel needs to receive, retain and process relevant personal details insofar as to enable it to perform its contractual obligation or take necessary steps upon the request of a Client or an Employee prior to entering into a contract;
- the Hotel as the Data Controller will process and/or retain data insofar as it is necessary for to enable the Hotel to comply with its legal obligations including but not limited to assist the Government’s security agencies as part of any investigative query that may be made and shall retain such data under such circumstances until advised by the said security agencies that such data is no longer required whereupon it shall be destroyed within 7 days of any such final notice;
- the Hotel such process and retain personal data insofar as it is necessary, subject to particular circumstances, to protect the vital interests of the Client or Employee or any other natural person, for example the need to contact the next of kin or upon a dispute raised by a Client or Employee;
- the Client or the Employee consents that anonymous personal data relating to the Client or the Employee (all personal identification removed) may be used – when the Hotel is required to act in the public interest or in the exercise of official authority vested in the Hotel as the Data Controller;
- the Hotel retention of personal data of the Client or the Employee will be insofar as it is necessary for of legitimate interests pursued by the Hotel’s Data Controller or a third party (normal Statutory agencies) which the Client may seek to withdraw such consent at any time and subject to the foregoing subclauses parts (a) to (e) the Hotel will comply with the Client’s request. The Client’s right can be found at The Guest’s Rights with respect to Personal Data under GDPR on our GDPR Portal. All Employee personal data legally required in the course of the Employee’s employment with the Hotel shall be retained until 7 years after the Employee leaves the employment of the Hotel whereupon it shall be destroyed if there is no on-going issues or dispute between the Employee and the Hotel;
- The Hotel will not retain any data in relation to any child or children and shall in circumstances involving such minors only deal with their parents or guardians as the case may be.
Legitimate Business interest
- Direct marketing
The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ This may be where consent is not viable or not preferred, where there is a business need or purpose and there is a balance of business interests between our and person(s) receiving such direct marketing.
During the period a person responds to and communicates with us on our marketing approach we will retain such data securely at the relevant department. Reference may be made to our Data Processing & Retention of Personal Data Policy. Where such correspondence on the initial approach cease or at any time during such communication any person can easily click on the ‘unsubscribe’ link or make a request by contacting the Data Processing Office at DPO@thebelsfieldhotel.com or our postal address which can be found at Data Privacy Policy – Corus Hotels.
- Relevant and appropriate relationship
This may be a direct appropriate relationship, such as where the individual is a client.
- Reasonable expectations
As previously discussed, if a controller understands individuals have a reasonable expectation their data will be processed, this may help to make a case for legitimate interests.
Data Processing & Retention of Personal Data Policy
Corus Hotels Ltd will retain your personal data for the period it is validly necessary related to the subject matter of any enquiry, booking, period of stay, transaction, employment period and marketing communication on the basis of business needs and/or a legitimate interest:
We will only keep data which is relevant to your transaction and/or relationship with us as follows:
- For all Clients of the Hotel once the Client is no longer a guest at the hotel and there are no outstanding matters between the Hotel and the Client, the Hotel will delete all personal data of the Client further to existing legal requirement for two (2) years after the Client’s last use or stay at the Hotel and in any event after that two-year period within seven (7) days of the settlement of any outstanding balance or issues, whichever is the later;
- For all Employees we will retain personal data for during the period of the employee’s employment and for seven (7) years after the employee leaves the employment of Corus Hotels Ltd and thereafter destroy the same by handing all related files to a certified Data shredding company and remove all related files from our database;
- Personal data of all Marketing Communications expressly consented to by the Client will be deleted upon the Client opting-out or unsubscribing from further marketing communications. The Client will be provided clear boxes to ‘Opt-Out’ or an ‘unsubscribe’ to from any further communication at any time and will not receive any such communication material thereafter. The unsubscribe link will be at the end of an email.
Guests Access Rights
Booking or Transacting with the Hotel
As a matter of legitimate business interest, when you enquire, make a reservation and/or communicate with the hotel as an intended guest, you consent for the Hotel to receive, process and retain your data for the intended purpose or until the period of your stay is complete. You may click on our Data Privacy Policy as to the purpose we collect this data and our Data Processing & Retention of Personal Data Policy as to how long we will retain your personal data.
Your Rights
As a guest from a EU Member state your rights as a guest are as follows:
- The right of access to your data upon your written request to our Data Protection officer at the contact details below. You may follow the same procedure for all your rights below;
- The right to rectification by following the same;
- The right to erase;
- The right to restrict processing;
- The right to transfer your data to another party with your express written instruction;
- The right to object;
- The right not to be included in automated marketing initiatives or profiling.
The Information Commissioners Officer’s guide on how to make a personal request for information can be found by clicking on this link: https://ico.org.uk/for-the-public/personal-information/
Guest Access Requests
We will ordinarily respond to you by email within 30 days of your making any request with respect to your rights stated herein above. For a Postal Response the effective response date will be the date of posting and not receipt. We will not charge you for any personal request made by you and only you unless the request is unfounded or excessive. In the event we decline your request primarily but not exclusively based on conflicting data protection or privity of contract issues, we will notify you – primarily by way of an email – our reasons for declining your request.
If you are not satisfied with our reasons for declining your request, you may write your complaint to the following parties:
- The Information Commissioner
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Email: casework@ico.org.uk or follow these links: https://ico.org.uk/for-the-public/raising-concerns/ and https://ico.org.uk/global/contact-us/email/
and/or
- Our Data Protection Officer:
The Data Protection Officer,
Corus Hotels Ltd
Corus House
1 Auckland Park
Milton Keynes
MK1 1BU
Email: dpo@thebelsfieldhotel.com
Lawful Basis for Processing Guest Data
You can click on this link to follow our Legal Basis for Processing Personal Data and our Data Processing & Retention of Personal Data on our GDPR Portal
Essential Q&A on Corus Hotels’ GDPR Compliance
- Do you use this data for any other purpose than the fulfilment of our contract with you; namely for anything other than the delivery of the service accommodation to our customer?
Corus Hotels does not use personal data for any other purpose other than for the legitimate purpose and interest in delivering the service of accommodation to our Customers.
- Do you share this data with any other party and if so who and why?
Corus Hotels does not actively share Customer Data. However, Guestline as our PMS provider, has access to this data and would be deemed as a Data Processor under the GDPR Rules. We have obtained a GDRP Compliance statement from Guestline.
Corus only shares Employee data on the basis of business needs and requirement and legitimate interest.
- What period do you retain the data for? (i.e. what period after fulfilment of the contract do you retain the data for prior to disposing of it?)
A maximum of 2 years for Customers and 7 years for Employees as set out hereunder:
- For all Clients of the Hotel once the Client is no longer a guest at the hotel and there are no outstanding matters between the Hotel and the Client, the Hotel will delete all personal data of the Client further to existing legal requirement for two (2) years after the Client’s last use or stay at the Hotel and in any event after that two-year period within seven (7) days of the settlement of any outstanding balance or issues, whichever is the later;
- For all Employees we will retain personal data for during the period of the employee’s employment and for seven (7) years after the employee leaves the employment of Corus Hotels Ltd and thereafter destroy the same by handing all related files to a certified Data shredding company and remove all related files from our database;
- Personal data of all Marketing Communications expressly consented to by the Client will be deleted upon the Client opting-out or unsubscribing from further marketing communications. The Client will be provided clear boxes to ‘Opt-Out’ or an ‘unsubscribe’ to from any further communication at any time and will not receive any such communication material thereafter. The unsubscribe link will be at the end of an email.
- Do you have a process in place that would allow you to respond effectively and timely to requests from us to ascertain the data that you are holding on one of our customers, to correct any errors in that data and following fulfilment of the contract to comply with an individual’s request to erase their data?
Yes – you may contact our Data Processing Officer at DPO@thebelsfieldhotel.com
We have established clear GDPR compliant Access Rights under our Data Privacy Policy:
You have a right to access the personal information that is held about you. Please refer to details of your right by click on this link Guest Access Rights on our GDPR Portal. To obtain a copy of the personal information Corus Hotels holds about you, please email us at DPO@thebelsfieldhotel.com enclosing your postal details and the details of your request.
Alternatively, you can write to us at the following address:
Data Protection Officer
Corus Hotels Ltd
Corus House
1 Auckland Park
Milton Keynes
MK1 1BU
- What steps have you taken to secure and protect the data? In particular from a breach or other cyber-attack.
We have entrusted our Data Security protection, including protection against cyber-attacks, to our contractor IDE Group Ltd. IDE Group control and monitor all Corus Head Office and Hotels internet traffic through a security gateway. Credit card data is encrypted on our credit card machines and online payments are only through our secure gateway providers namely Lloyds Bank plc, Global Blue Service Company Austria GmbH and Bank of China (UK) Limited and the latest SSL (Secure Sockets Layer) technology to make sure that the details you provide when placing an order are kept private and secure, making shopping on our website safe. Please refer to Payment Card Security in our Data Privacy Policy on our GDPR Portal.
- Where and how is the data stored?
- Physical Data: Is stored at the Front Desk. The data card is locked in a cabinet and is accessible by authorised personnel of Corus Hotels only. Authorised personnel must sign in and out every time the deal with a secure key.
- Electronic Data: Data on our PMS system is only accessible by a secure password
- Destruction of Physical Data: Pursuant to our GDPR Policy physical data which is secured in a locked cabinet with a security key is handed on or before the end of 2 years from the date such data come into being to an authorised and certified Data Shredding Company.
- Who can access the data and what controls are in place to prevent unauthorised access?
We have a GDPR Policy and Process in place as to who can access such data. As a hotel operator, the individuals who can access such data are Corus Hotels’ authorised personnel particularly the Front Desk who need to deal with such data on a business need an/or legitimate interest basis.
- What is your notification plan in the event of a data breach?
The Data Protection Officer at Corus Hotels Ltd shall promptly within 48 business hours or immediately after a weekend or a business day after a bank holiday notify the Information Commissioner’s Office and the affected party:
- of any data breach and the circumstances of such breach;
- the circumstances of such breach;
- the steps taken to remedy the breach and
- prevent similar recurrence
GDPR SOPs – May 2018
GDPR – HOUSEKEEPING
Data Held | Storage | Accessibility | Action Plan |
Lost Property Files (home address, email address , credit cards, etc.) | HSK Office | · Head Housekeeper
· Asst. HSK · Duty Manager |
Any lost property containing personal data must be stored in a locked cabinet |
Guest Feedback cards (where applicable) | Front Office and then Marketing | · Housekeeping Personnel
· Reception Personnel |
· All housekeeping personnel to be trained on how to handle documents containing personal data
· Feedback Cards to be handed to the Front of House team as soon as collected |
Names, Address and Timesheets of Employees | HSK Office | · Head HSK
· Asst. HSK · DM |
The data must be stored in a locked cabinet or locked office |
Computer | HSK Office | · HSK Manager and Asst.
· one email- 2 access. |
Computer must be on sleep mode and username logged out when left unattended |
HSK Office | N/A | · Supervisors
· HSK Manager · Asst. HSK |
Must be locked when unattended and have filing cabinet locked so that no one can access personal data |
Master Keys | HSK Office | · Supervisors
· HSK Manager · Asst. HSK |
Sign in – out register, must be kept in a locked cabinet |
HUMAN RESOURCES
Employee Data- Personal info consisting of email, contact number, CV and other personal details (sensitive) | Locked Cabinet or Locked Office | HR Personnel |
|
HR Office | N/A | · HR Personnel
· GM |
Password/keys only available to HR Personnel and GM |
Correction/update to Personal Data | HR Office
Personnel Files |
HR Personnel | · Let workers check their own records periodically. This will allow mistakes to be corrected and information to be kept up to date
· Please make “change to personal details form” available to employees to prompt them to update their personal data · Check what records are kept about your workers, and make sure you are not keeping information that is irrelevant, excessive or out of date. Delete information that you have no genuine business need for or legal duty to keep. |
Recruitment Data
CVs |
HR Office
Personnel Files |
· HR Personnel
· HODs · GM |
· Obtain written consent from employees before disclosing reference
· Please refer GDPR Policy |
Disposal of confidential documents | Locked Storage | · Front of House staff
· Finance Department Duty Managers |
· Shredder must be available to the department
· Please refer to retention of records requirements for specified times of disposal |
Computer Monitors/ laptops | HR Office | HR Personnel | · Install privacy screen to restrict the view where possible
· Computer must be on sleep mode and username logged out when left unattended |
FOOD & BEVERAGE
Data | Storage | Accessibility | Action Plan |
File containing- Holidays, F&B training, Supplier name and contact details. | Locked office or locked cabinet | Restricted access to managers and supervisors | · All documentation containing personnel data must be stored in locked cabinet or locked office.
· Only accessible to authorised personnel who have signed a GDPR policy disclaimer |
Desktop Computers | Office | · F&B Supervisors
· F&B Managers |
· Install privacy screen to restrict the view where possible
· Computer must be on sleep mode and username logged out when left unattended |
PDQ slips containing Credit Cards details | Tills and then Front of House | · F&B Personnel | · No PDQ slips to be left unattended, make sure is in a secure location at all the time, hand in to a member of staff at reception (not to be left unattended) |
Disposal of confidential documents | NA | NA | · Shredder must be available to the department and any hard copy document containing personal data must be shredded
· No documentation containing personal data must be left unattended (e.g. function sheets, guest breakfast list, etc.) · |
F&B Office | NA | · Supervisors
· Managers |
· No documentation containing personal data to be left unattended |
FRONT OF HOUSE
Data | Storage | Accessibility | Action Plan |
Guest Registration Cards/Invoices containing, email addresses, names, addresses, telephone numbers, car reg. cards, passports copies, etc.
PDQs Slips |
Locked Cabinet | · Front of House staff
· Finance Department · Duty Managers |
· Registration cards, passport copies, invoices, PDQ slips and any other personal data must be accessible only to front of house personnel/duty Managers/Accounts
· No registration cards, passport copies, invoices, PDQ slips or other personal data to be left unattended · Registration cards, passport copies, invoices, PDQ slips must be stored in a locked cabinet · Old registration cards, passport copies, invoices, PDQ slips must be stored in a locked storage room · Registration cards, passport copies, invoices, PDQ slips and any other personal data must be held for no longer than 2 years · Old registration cards, invoices, PDQ slips and any other personal data must be disposed of by using a certified shredding company and certificate must be provided to the finance department |
Guest feedback cards with the opt in box TICKED | · | · Mail by ‘signed for’ post to Marketing Department at Head Office | |
Desktop Computer | Reception/Front Office | · Front of House Staff
· Duty Managers |
Privacy screen to restrict other staff and guests to view the details of the guests. |
Login Reslynx (front office system) | PC/Laptop | · Front of House staff
· Finance Department · Duty Managers |
· Team members must use their own logins
· Computer must be on sleep mode and username logged out when left unattended · Passwords must be changed on regular basis · Users who are no longer required must be disactivated within 24 hours |
Disposal of confidential documents | Locked Storage | · Front of House staff
· Finance Department · Duty Managers |
· Shredder must be available to the department
· Please refer to retention of records requirements for specified times of disposal |
FOH Office –
storage of staff info, mobile numbers, supplier’s details, function sheets, etc. |
Locked Cabinet | Only authorised personnel | · No documentation containing personal data to be left unattended |
GUEST RELATION, RESERVATION, MEETING & EVENTS, SALES OFFICE
Data | Storage | Accessibility | Action Plan |
Guest complaints, email addresses, contracts,
Sales- Email addresses, revenue, contact number, credit card info Function Sheets Invoices |
· Filing cabinet in locked office
· Locked cabinet · PCs/laptop |
· Guest Relation Personnel
· Reservation personnel · Meeting & Events personnel · Sales personnel |
· Any documentation containing personal data must be accessible only to Guest Relation, Reservation, M&E and Sales personnel
· No personal data to be left unattended · Documentation containing personal data must be stored in a locked office or locked cabinet · Please refer to documentation disposal time table and dispose documentation containing personal data accordingly · Dispose of old documentation containing personal data by using a certified shredding company and certificate must be provided to the finance department · No personal data may be used to contact anyone proactively unless they have expressly opted in to receive such communication from us. If in doubt please refer to the marketing department |
Computers & Laptops containing personal data information | Offices | Visibility | · Privacy screen on the computers
· Computer must be on sleep mode and username logged out when left unattended |
Sales and Reservation office | Locked Storage | Only authorised personnel | No documentation containing personal data to be left unattended |
Disposal of confidential documents | Locked Storage | · Guest Relation
· Reservation · M&E · Sales team · DM |
· Shredder must be available to the department and any hard copy document containing personal data must be shredded
· Please refer to retention of records requirements for specified times of disposal |
ACCOUNTS/ PAYROLL
Data | Storage | Accessibility | Action Plan |
Financial Data & Documentation (including guest invoices, bank details, credit cards details, P&L, POs, etc.)
Suppliers details Suppliers invoices Ledger invoices |
· Filing cabinet in locked office
· Locked cabinet |
Accounts Personnel |
|
Employee Data- Payroll Data | · Filing cabinet in locked office
· Locked cabinet |
· HR Personnel
· Accounts |
|
Nest pension | · PCs/Laptops
· Personnel files |
· HR/Payroll personnel |
|
Accounts Office | NA | · Accounts team
· HR · DM |
|
Disposal of confidential documents | · Locked Storage | · Accounts Personnel
· DM |
|
MARKETING
Data | Storage | Accessibility | Action Plan |
Guest Personal Data available on various database/social media | PC/Laptop | Marketing Personnel |
|
Disposal of confidential documents | PC/ Laptop |
|
|
Guest feedback cards with the opt in box TICKED | Locked cabinet | Marketing personnel | · Marketing receives guest feedback cards from hotels and retains opted-in ones only for marketing and promotional purposes only. |
Computer Monitors/ laptops | Marketing office | Marketing Personnel | · Install privacy screen to restrict the view where possible
· Computer must be on sleep mode and username logged out when left unattended |
Leisure Clubs
GDPR SOP – Solihull Leisure Clubs
Data | Storage | Accessibility | Action Plan |
Membership forms | · Filing cabinet in locked office
· Locked cabinet |
· Leisure Club Staff
· Finance Department · Duty Managers |
· No personal data may be used to contact anyone proactively unless they have expressly opted in to receive such communication from us. If in doubt, please refer to the marketing department |
Day passes | Folder in locked cabinet | · Leisure Club Staff
· Finance Department Duty Managers |
· Last 30 days data that are no longer active shall be kept at the leisure facility within the Hotel.
· All inactive data beyond 30 days and up to 3 years is kept in the designated locked office within the Hotel. · Leisure Manager shall keep the main key and spare key in GM office. · Any data over 3 years shall be destroyed by a certified company within 1 year from the end of the 3-year period. |
Residents; privacy statements on membership forms | Kept in locked leisure office as above. Data up to 3 years. | · Leisure manager and HR manager | This is the exact privacy statement on membership forms
1. In compliance with the Data protection act 1998; we take the privacy of our members very seriously. If you have any requests concerning your personal information or any queries in regard to our processing, please contact the club manager. The statements below explain how we use your personal information. · Information collected: We Collect personal information from you through the membership form and your use of our facilities. The information we collect may relate to your physical health or condition. · Use of your information: We use your personal information for the purposes of providing and personalising our membership services and may contact you from time to time informing you or related services or products. If you do not wish to receive such information you should instruct the club manager accordingly, in writing. We may also contact you if you have not recently attended the facilities to offer encouragement or seek information for the reasons for your recent absence. Again, if you do not wish to be contacted in this way please instruct the club manager in writing. |
Privacy notices on sign in books | Same as above | · Same as above | By selecting yes, you agree to receive e-mails or phone calls regarding information about memberships and sales opportunities within our leisure club. By signing you accept full responsibility for yourself and the person(s) who are accompanying with, particularly all children and teenagers up to the age of 18. You are aware that use of the club is entirely at your own risk and that no liability, damage or injury arising from your use without supervision shall be the responsibility of the owner or manager or operator of the club. You are also signing to agree and abide by the Terms and Conditions set within The Regency Leisure Club. Terms and Conditions are found displayed at the notice board by the leisure reception. You can request a copy from the Hotel reception at any time. Finally, you are signing to confirm that you are physically fit enough to engage in exercise within the club. If you are unsure of this, please contact your GP for approval prior to exercise. We also accept no responsibility or liability for personal belongings within the leisure club. Guests and members are responsible for their own possessions, including any damage and loss to personal effects and belongings.
|
Computers & Laptops containing personal data information | Leisure reception desk. | Shared login – leisure club staff only. | · Privacy screen on the computers
· Computer must be on sleep mode and username logged out when left unattended |
CCTV coverage | Two systems operating, one internal leisure and the other is general hotel system | · Internal – Maint manager only has code.
· General Hotel – GM, Ops and Maint mgr. have codes |
· Images are recorded over every 28 days on both systems, images can only be viewed or saved by using code and can only be saved onto a network secured device. |
CCTV statement | Generic statement | On wall in leisure | · “Security Notice: These premises are under CCTV surveillance for the purposes of crime prevention and public safety. Operated and controlled by Corus Hotels Limited.” |
Disposal of confidential documents | Locked Storage | Leisure manager and HR manager. |
|
GDPR SOP – Burnham Leisure Clubs
Data | Storage | Accessibility | Action Plan |
Membership forms | · Filing cabinet in locked office
· Locked cabinet |
· Reception and Sales Office Staff
· Finance Department · Duty Managers |
· No personal data may be used to contact anyone proactively unless they have expressly opted in to receive such communication from us. If in doubt, please refer to the marketing department |
Residents; privacy statements on membership forms | Kept in locked leisure office as above. Data up to 3 years. | · Front Office Manager and HR manager | This is the exact privacy statement on membership forms
1. In compliance with the Data protection act 1998; we take the privacy of our members very seriously. If you have any requests concerning your personal information or any queries in regard to our processing, please contact the club manager. The statements below explain how we use your personal information. · Information collected: We Collect personal information from you through the membership form and your use of our facilities. The information we collect may relate to your physical health or condition. · Use of your information: We use your personal information for the purposes of providing and personalising our membership services and may contact you from time to time informing you or related services or products. If you do not wish to receive such information you should instruct the club manager accordingly, in writing. We may also contact you if you have not recently attended the facilities to offer encouragement or seek information for the reasons for your recent absence. Again, if you do not wish to be contacted in this way please instruct the club manager in writing. |
Privacy notices on sign in books | Same as above | · Same as above | By selecting yes, you agree to receive e-mails or phone calls regarding information about memberships and sales opportunities within our leisure club. By signing you accept full responsibility for yourself and the person(s) who are accompanying with, particularly all children and teenagers up to the age of 18. You are aware that use of the club is entirely at your own risk and that no liability, damage or injury arising from your use without supervision shall be the responsibility of the owner or manager or operator of the club. You are also signing to agree and abide by the Terms and Conditions set within The Regency Leisure Club. Terms and Conditions are found displayed at the notice board by the leisure reception. You can request a copy from the Hotel reception at any time. Finally, you are signing to confirm that you are physically fit enough to engage in exercise within the club. If you are unsure of this, please contact your GP for approval prior to exercise. We also accept no responsibility or liability for personal belongings within the leisure club. Guests and members are responsible for their own possessions, including any damage and loss to personal effects and belongings.
|
Computers & Laptops containing personal data information | Reception Desk | Shared login – reception staff only. | · Privacy screen on the computers
· Computer must be on sleep mode and username logged out when left unattended |
CCTV coverage | General hotel system | · General Hotel – GM, Ops and Maint mgr. have codes | · Images are recorded over every 28 days on both systems, images can only be viewed or saved by using code and can only be saved onto a network secured device. |
CCTV statement | Generic statement | On wall in in Reception | · “Security Notice: These premises are under CCTV surveillance for the purposes of crime prevention and public safety. Operated and controlled by Corus Hotels Limited.” |
Disposal of confidential documents | Locked Storage | Front Office Manager and HR manager. |
|