GDPR STATEMENT
Review of GDPR 2018 impacts and compliance – Dolphin View Cottage, Ardersier.
Change in the Law
We have reviewed our data use and storage in our business based on our understanding of the changes in Data Protection law on GDPR applicable from May 25th 2018. The statements below represent our findings as a result of that review.
What data do we hold?
By Law we are required (by our Local Authority) and Immigration (Hotel Records) Order 1972 to collect the following information from guests on or before their arrival, full name and nationality. For guests who are not British, Irish or Commonwealth guests we also need to collect passport number and place of issue (or other documents which shows identity and nationality. Details of the next destination, including the address if know on or before departure.
To have the details of those who are booked to stay in Dolphin View Cottage, we store information provided to us/required by us of those booking Dolphin View Cottage on a Booking Acknowledgement form (a word document). This is compiled & sent to guests to confirm the details of their booking. The information on the Booking Acknowledgement Form includes the following:
- Lead booking contact name
- Names of others in the party
- Contact telephone number(s)
- Email address
- Postal address
- Details of the booking including the dates, accommodation set up required, likely ETA, things we need to know regarding any pets accompanying and the tariff payable
We also have guests’ email addresses/mobile numbers in our email/mobile message records.
We do not take card payments through our website so we do not store bank card details. The majority of our accommodation payments are paid directly into our bank account by bank transfer or by cheque.
Limited payment data is stored by the business’s Paypal card payments system within our Paypal account although this is only transaction data and no names and addresses and only partial card details are retained. Whilst the Paypal system does often supply a contact email/mobile number within the transaction to send a receipt, these details are not available to us once the transaction is complete.
Bookings made through Trip Advisor/Flipkey are handled by Trip Advisor and the only information given to us is the guests name and contact information. All other information is held by Trip Advisor and falls under their GDPR.
How do we store the data we hold?
All accommodation Booking Acknowledgement Forms are kept on our private computer as part of our business records and the data on them is not processed or used for marketing purposes or any other purposes by ourselves or any third party.
We also have guests’ email addresses/mobile numbers in our email/mobile message records.
Feedback forms where guests have opted in to receive information on cancellations or late availability offers are kept as paper copies and not stored electronically.
How do we use the data we hold?
The data we hold is used to contact guests about their stay prior to their visit or after they have departed in relation to items left behind.
If a guest has opted in to receive late availability offers or cancellations we may contact them by the method of communication the guest chose.
The Dolphin View Cottage Facebook page is used to update those who have indicated they wish to be ‘friends’ of the business. This is subject to the normal security protocols of Facebook, contains no personal information and people can ‘unfriend’ at any point.
What will we do if you wish to change your data record or have it removed?
Apart from opted in late availability/cancellation offers, we do not proactively use data held to contact guests (past, present or future) so in the case where guests’ contact details have changed then following an inbound communication from them in relation to a new booking, the new contact details would be used in relation to that booking.
In terms of access, we have stated here what data we hold on guests, why we hold it and what it is used for.
In terms of personal data removal, should guests wish us to remove their personal data held then the following would happen. We would delete all emails/mobile messages in our records relating to their email address/mobile number and strip their postal address, email address and phone numbers from our computer.
In terms of any messages/communications/reviews etc left by guests on Google, TripAdvisor, Facebook or any other third party platform then we would expect guests to manage and remove those as they saw fit, although we do feature some on our website and if we were asked to remove these then we would.
We would undertake this within a month of receiving the request (to allow for delay if we are on holiday) and we would then confirm the removal of data (and then destroy that communication).
Data Security
As our business is run by 2 people who are a married couple and they are the only people who have access to the data we hold, our assessment of the risk of a breach is that it is highly remote. We do not anticipate any security breaches.
Conclusion
We do not believe that the way we store and use the data we hold provides a security risk or falls within the scope of the changed data protection legislation in GDPR from May 25th 2018.
Lynn and Mike Birch.