Schedule 1: Privacy notice
The following information constitutes our privacy notice.
In this Schedule, “we”, “our”, or “us” refers to Albania Tour Guide and “you”, “your” refers to the lead-named person on the booking details all persons on whose behalf a booking is made.
You can contact us by e-mail about privacy at email@example.com
1. This is a notice to inform you of our policy about all information that we record about you. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us.
2. We take seriously the protection of your privacy and confidentiality. We understand that you are entitled to know that your personal data will not be used for any purpose unintended by you, and will not accidentally fall into the hands of a third party.
3. We undertake to preserve the confidentiality of all information you provide to us, and hope that you reciprocate.
4. Except as set out below, we do not use, share or disclose to a third party, any information collected under this contract or otherwise.
In this Schedule, the following words shall have the following meanings:
“Act” means the Data Protection Act 2018.
“Data Protection Legislation” means all or any of:
(a) the GDPR,
(b) the applied GDPR,
(c) the Act,
(d) regulations made under the Act
(e) regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive.
“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
“the applied GDPR” means the GDPR as applied by Chapter 3 of Part 2 of the Act.
“Law Enforcement Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
“data controller”, “data processor”, “data subjects”, “personal data”, “process”, “processed” and “processing” shall have the meanings respectively, as defined in the Act. Note that “process” and “processing” are defined to include simple events like receiving data into our system, or storing it. Processing is not limited to “doing something with it”.
In this agreement, “personal data”, is limited to data which comes into our hands in some way connected to the terms and conditions of your booking.
2. Data Protection
4.1 The obligations described in this Schedule are in addition to our obligations under the Data Protection Legislation.
4.2 Under the Act, we are obliged to inform you what personal data we hold about you, or may hold at some future date. We must tell you how we propose to use that data and give you other information.
3. What data we may process in each category
We shall process this basic personal data:
4.3 your name, age, personal address, private email address.
4.4 telephone number
4.5 passport data
4.6 all other information you gave to us.
4.7 all data which comes to the attention of any of our representatives or other staff whom you may contact for any reason.
4.8 financial information processed through the banking system.
4.9 information supplied to us by a third party.
4.10 information relevant to the performance of your contract.
4.11 technical information relating to electronic communication, which is personal information only when associated with the name or identity of the data subject.
4. The bases on which we process information about you
The Data Protection Legislation requires us to determine under which of six defined grounds we process different categories of your personal information, and to notify you of the basis for each category. We mention three categories below. The others are not relevant to your contract.
If a basis on which we process your personal information is no longer relevant then we shall immediately stop processing your data.
If the basis changes then if required by law we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.
Information we process because we have a contractual obligation with you
When a contract is formed between you and us, in order to carry out our obligations under that contract we must process personal information.
We use your information in order to provide you with our services under that contract.
We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract.
We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract.
Information we process with your consent
Only when you have given us explicit permission to do so, do we process your personal information under the basis of consent.
We continue to process your information on this basis until you withdraw your consent or it can be reasonably assumed that your consent no longer exists.
You may withdraw your consent at any time by telling us. However, if you do so, you may not be able to use our services further.
Information we process because we have a legal obligation
Sometimes, we must process your information in order to comply with a statutory obligation.
For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order.
This may include your personal information.
5. Specific uses of information you provide to us
Booking and pre-booking enquiries
We use your personal information to arrange, process and confirm your booking and to answer any pre-booking enquiry you may have. While making your travel arrangements we will need to disclose personal data to the suppliers of the services which are part of your booking.
Communicating with you
When you contact us, whether by telephone or by e-mail, we collect the data you have given to us in order to reply with the information you need.
We record your request and our reply in order to increase the efficiency of our business.
We keep personally identifiable information associated with your message, such as your name and email address so as to be able to track our communications with you at a later time.
Dealing with complaints
When we receive a complaint, we record all the information you have given to us.
We use that information to resolve your complaint.
If your complaint reasonably requires us to contact some other person, we may decide to give to that other person some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion as to whether we do give information, and if we do, what that information is.
If we think your complaint is vexatious or without any basis, we shall not correspond with you about it.
We may compile statistics from information relating to complaints to assess the level of service we provide, but not in a way that could identify you or any other person.
6. Management of your information
Access to your personal information
At any time you may review or update personally identifiable information that we hold about you.
To obtain a copy of the information we hold about you, please contact us at firstname.lastname@example.org
After receiving the request, we will tell you when we expect to provide you with the information, and whether we require any fee for providing it to you.
Removal of information
If you wish us to remove personally identifiable information from our record, you should contact us at email@example.com
If you do so we have no alternative than to treat your request as notice to terminate this contract. If that happens, termination will accord with the provisions in this contract.
All provisions in this contract relating to termination, express and implied, will follow.
Verification of your identity
When we receive any request to access, edit or delete personal identifiable information we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.
7. Post termination
4.13 Physical goods of yours, which we necessarily hold as part of our contractual relationship are not personal data and are not affected by the Act.
4.14 Upon termination of our agreement with you, we and any contractual data processor will:
4.14.1. delete all your personal data from our electronic records by some method which prevents future re-activation of that data.
4.15 We shall not destroy or delete all your data and retain such personal data for six years, for these reasons:
4.15.1. for accounting and taxation purposes;
4.15.2. to provide evidence if required in connection with a legal claim;
4.15.3. for any other reason where the law provides a six years limitation period;
4.16. If any event occurs which requires us lawfully to continue to retain data beyond that period, then we may do so.