Background

The term ‘personal data’ means any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The European Union (EU) General Data Protection Regulation (GDPR) and UK Data Protection Act mandate regulatory requirements to protect personal data, which this notice discusses.

A privacy notice is a statement made to an individual (known as a data subject), that describes how an organisation collects, uses, retains and discloses their personal information.

The purpose of this privacy notice is to communicate to our customers our intention to be transparent, process lawfully, fairly and provide clear, effective and accessible information about how we will use their personal data. We are committed to limiting the amount of personal data we collect from you in the successful delivery of our services and its permanent destruction upon completion of agreed data processing. Just as importantly, we intend to ensure its accuracy, integrity and confidentiality.

This privacy notice intends to give individuals greater choice and control over how their personal data is used and to build trust and confidence within the Traveltrust Global customer base.

This privacy notice has been written under the code of practice provided by the UK Information Commissioner’s Office (ICO).

 

Our responsibility as processors of personal data

Traveltrust Global Ltd (herein Traveltrust Global) provides corporate travel management solutions to organisations (collectively known herein as ‘the client’). Where personal data is received from a client, following a request for information about Traveltrust Global services or under a contract with Traveltrust Global, Traveltrust Global effectively becomes the data controller and is responsible for processing personal data on behalf of the respective client.

 

What personal data do we collect?

Traveltrust Global collects only enough personal data effectively to communicate with our clients and to populate individual employee traveller profiles, to achieve the delivery of corporate travel services. This type of data includes:

• Contact information – name, job title, address information, e-mail address, telephone number(s) and PA / secretary name and contact details.
• Passport
• Travel membership and loyalty programme
• Travel preferences (e.g. airline seating / hotels)
• Payment card

We accept that we might be required to collect specific travel data, such as dietary preferences, special needs, health, medical and mobility information that, in turn, may possibly reveal sensitive personal data, such as that relating to an individual’s religion, medical or ethnicity.

The lawful processing of sensitive personal data is achieved through explicit consent from the client.

 

How do we collect your personal data?

We will only collect personal data from you upon your travel arrangement, product or service enquiry. This data collection will occur when either party communicates by telephone, letter, e-mail, fax, SMS, website enquiry or in person.

Where you make a travel booking on behalf of another member of staff, you agree you have obtained the consent of the other person for us to collect, use, retain and disclose the other person’s personal data in accordance with this notice and that you have made the other person aware of this notice.

We will not make initial communications with individuals, without first obtaining consent. We will communicate with business contacts via e-mail or SMS without prior consent but will always consider prior “opt-out” and unsubscribe requests.

We will always say who is calling, allow our number (or an alternative contact number) to be displayed to the person receiving the call and provide a contact address if asked.

We will also maintain a ‘do not contact’ list of people, to ensure that those individuals and businesses, whom have requested to be removed from further communications, are no longer contacted without regaining consent.

For communications actively requested by you, or correspondence with clients to provide information they need about a current contract, or travel information that directly affects their employees, we will not look for prior consent.

 

How do we use your personal data?

We will lawfully process client employee personal data solely for travel services, in the fulfilment and performance of the client contractual obligations.

The lawful processing of client personal data for other services associated, but not directly related to travel, will be achieved through individual employee consent. We will ensure explicit consent is affirmed in a clear written statement and request that any individual who wishes to withdraw their consent later may do so by contacting us in writing.

We use personal data to:

• Fulfil requests made by our clients g. reporting, questions, etc.
• Provide notices about your account and inform you of changes to our products or
• Provide travel services and fulfil our obligations to our client’s employees and meeting attendees (e.g. administer travel and meeting reservations and assist in managing the travel and meeting arrangements).
• Contact individual travellers, with any personal data supplied to us by the client or trusted representative, to fulfil travel booking requirements.
• Communicate with individual travellers by e-mail, SMS, post, and telephone to provide them with customer

 

Where will we store your personal data?

We store your personal data on our secure Information Technology systems, located within the European Economic Area (EEA).

To enable us to deliver our core travel services, we use a global distribution system (GDS). A GDS is a computerised network database system, operated by a third-party company, that enables transactions between travel industry service providers and our systems. We store your personal data in our selected GDS (Amadeus), which is in the EEA. Amadeus’s default retention for a PNR (Passenger Name Record) is 5 years from when it becomes inactive. PNR’s are active for as long as a segment in the PNR is active (the related service is still pending). After the completion of the last segment of the PNR the PNR is archived and access to the PNR is restricted. After a period of 5 years the PNRs are deleted.

For those clients that utilise our online booking tool services, employee personal data is stored within their respective booking tool provider storage systems, some of which maybe outside of the EEA. We can provide specific online booking tool provider information upon request.

 

Who do we share your personal data with?

We will not sell, trade, rent or share your information with any other organisations for direct marketing, market research or commercial purposes and we will not pass on your details to other websites.

Traveltrust Global staff may require shared access to your personal data to enable us to fulfill travel related services on your request.

We will disclose your personal data to:

• Travel service providers such as travel wholesalers, tour operators, airlines, hotels, car rental companies, transfer handlers, passport and visa handlers and other related service providers. We transfer personal data to travel service providers around the world, so it is not possible for us to set out in this notice all the travel service provider details for whom we have no formal

commercial relationships. We can provide specific personal data transfer information upon request.

• Persons making travel booking on your behalf (for example, a work colleague, PA/EA, employer, family member or friend). This disclosure will only occur with your prior authorisation and authentication of the parties involved.
• Governmental bodies at certain overseas destinations for security, customs and immigration This is a requirement to fulfil travel plans as well as both a legal and security necessity.
• Regulatory bodies, law enforcement agencies, government agencies and public authorities to comply with a valid and authorised request, including a court order or other valid legal process.
• Travel delay refund and payment solution(s).
• Legal counsel to enforce or apply our terms of use and any other

 

How do we secure your personal data?

We have ensured that appropriate technical and organisational measures have been put in place to avoid unauthorised or unlawful processing, accidental loss or destruction of, or damage to personal data. We have achieved this by understanding and managing our information and privacy risks.

Any payment transaction details will be encrypted within Square Europe Ltd, all aspects of which comply with the Payment Card Industry Data Security Standards (PCI DSS).

Sending and receiving personal data over the Internet is generally not completely secure, and we cannot guarantee the security of your data while it is in transit. Please bear this in mind when deciding whether to include personal or sensitive information in any email messages you intend to send to Traveltrust Global. We will make available appropriate secure methods of transferring personal data. These details can be provided upon further request.

For all third-party service providers and suppliers that we engage with, due diligence has been undertaken through enforced contract or written data sharing agreements, to highlight their responsibilities around EU & UK data privacy law.

All our employees have undertaken a comprehensive information security and data privacy awareness training programme, which has attempted to reduce the level of human error and lower data privacy risk.

We have the appropriate procedures in place to detect, report and investigate a personal data breach. Should we become aware of a breach and we understand there to be a high risk to the rights and freedoms of an individual, we will endeavour to notify the affected individual without undue delay, and to notify the UK ICO no later than 72 hours after having become aware of it.

We have consulted representative bodies e.g. IATA, GTMC.

 

How long we will store your personal data?

To ensure we can be accountable, we will securely store records of all data processing.

It is appropriate for Traveltrust Global to retain personal data for as long as the client has a contract with the business. Even after the contract has ceased, we may need to continue holding some of this data for legal, compliance, regulation or operational reasons. However, personal data will not be kept indefinitely “just in case”; it will be permanently deleted from all our computing systems, within 30 days of useful purpose, reducing the risk that it will become inaccurate, out of date or irrelevant. We will endeavour to instruct that relevant third-parties also delete your data in-line with our policy.

Upon request, we can provide you with the criteria used to determine the retention period.

 

Your data, your rights

A client or individual may exercise the following lawful data privacy rights:

• the right to be informed – achieved through this privacy
• the right of access – request a copy of the data. We give you a description of it, tell you why we are holding it, tell you who it could be disclosed to and let you have a copy of the information in an intelligible
• the right to rectification – request data mistakes are corrected. If you have any concerns about the accuracy of your personal data, you will need to raise it in writing with us. You should be clear about exactly what you believe is inaccurate and how we should correct it, providing evidence of the inaccuracies where available.
• the right to erasure – request permanent deletion of data and be effectively “forgotten”, remember

that this will prevent us providing travel services, historical management reporting, etc.

• the right to restrict processing – forcing us and our third-parties to stop processing your
• the right to data portability – request we transfer your data easily and securely to another travel
• the right to object – if you believe we are processing personal data for direct marketing
• the right not to be subject to automated decision-making, including

 

These rights are communicated to us in a Subject Access Request (SAR). You may send a request for a Traveltrust Global Subject Access Request form, by sending a written request. Methods to confirm a requestor’s identity may include a copy of a passport, driving licence or utility bill. Once we have positively confirmed the identity of the requestor, we will service the SAR without undue delay and at the latest, within 28 days. We will extend the period of compliance by up to a further two months where requests are complex or numerous. If this is the case, we will inform the individual within 28 days of the receipt of the request and explain why the extension is necessary.

Certain conditions exempt Traveltrust Global from having to supply the requestor information, including crime prevention and detection.

We will provide you a copy of the SAR information free of charge. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. Our fee will be based on the administrative cost of providing the information.

 

Keeping personal data accurate

Whilst the Traveltrust Global account management representatives will regularly check with clients for changes in personal data, we would be grateful if you could contact us and update us with accurate employee data.

 

Other websites

Our website may contain links to third party websites over which we have no control. We are not responsible for the data privacy practices of such websites. We encourage you to read the privacy notices of any linked third-party websites as we do not accept any responsibility or liability for these notices.

 

Changes to this privacy notice

This privacy notice will take effect from 25^th May 2018. As law dictates, we may need to make amendments to this notice. Therefore, we keep our privacy notice under regular review. Any changes will be posted on our website.

 

Contact us for further Information

Traveltrust Global tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. For further information on how your information is processed, agreements we have with other organisations for sharing information, how we check that the information we hold is accurate and up to date, how we maintain the security of your information or your rights to access information we hold on you, please contact:

 

[email protected]

 

Traveltrust Global Limited 35 New Broad Street

New Broad Street House London EC2M 1NH

 

Please contact us by telephone on the following number between the hours of 9am to 5:30pm:

 

+44 (0)203 290 9780

 

If you wish to make a complaint about the way we have processed your personal information, you can contact the statutory body which oversees data protection law. The contact details are as follows:

Information Commissioners Office: Website: https://ico.org.uk/concerns/ Postal Address:

Information Governance Department Information Commissioner’s Office Wycliffe House

Water Lane Wilmslow Cheshire SK9 5AF