Corus Hotels GDPR Statement

The European Commission’s directive for General Data Protection Rules (“GDPR”) comes into effect 25 May 2018. Corus Hotels are committed to putting your customers first and implementing GDPR compliant data management and protection practices. Corus Hotels are committed to ensure that all our suppliers and service providers affirm compliance with GDPR which requires anyone processing, holding, or making decisions on the purpose and use of any personal data of EU citizens to:

  • Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • Demonstrate processes for regularly testing, assessing, and evaluating the effectiveness of these measures for ensuring the security of the processing.
  • We have created a GDPR Portal for guests, clients and patrons to find more information on the specific requirements of GDPR.

Corus Hotels

GDPR Governance Statement

With effect from 25 May 2018

Corus Hotels (“the Hotels”; “we”; “us”; “our”) takes a Customer’s (“you”; “your”; “he/she”) personal data seriously and are committed to fully comply with the European General Data Protection Rules.

We will distinguish between Personal Data and Corporate Data

Corus Hotels makes a distinction between Personal Data and Commercial and Corporate Data i.e. between the corporate and commercial data of individuals and their corporate and commercial emails and that of personal data and emails. Corporate and commercial data, including individual corporate and commercial emails, are retained on the basis of legitimate interest to facilitate the ordinary of our business and commercial relationships and transactions and business needs in the course of business dealings.

Data Security is of the highest priority for us and we shall manage all Personal Data in full compliance with the Hotels GDPR governance statement set out below.

We may require you to submit personally identifiable information in order for you to make use of our services. You confirm that any information you enter will be true. We will only request and collect information which is necessary or reasonable in order to provide you with your requested services and to improve the services that we provide. It will not be a requirement to provide any additional information which is not needed to provide the services.

  1. HOW WE HANDLE PERSONAL DATA: Our authorised staff have been trained to handle all personal data in a GDPR-compliant appropriate manner. Please click here for our Personal Data Handling Procedure.
  2. SAFEGUARDING EXISTING PERSONAL EMAILS: Only the Hotel’s authorised Front Desk Staff, Meetings & Event Personnel, Supervisors and Managers have access to personal emails on our database. They have been trained how to securely handle personal data meant solely for business purposes only.
  3. SECURITY CLAUSE: We will continuously – as and when necessary and prudent – update our Security Clause.
  4. REGISTRATION CARD: From 1 April 2018 all our Registration Cards will have an ‘OPT-IN’ Box. If you do not tick to Opt-In we will not retain any of your personal data after your period of stay at any of our hotels comes to an end.
  5. UNSUBSCRIBE OPTION: All communication is clearly marked with an ability to ‘unsubscribe’ at any time.
  6. EXPRESS CONSENT: If you do not ‘OPT-IN’ or you chose to ‘unsubscribe’ we will not send you any marketing promotion or randomly contact you.
  7. THIRD PARTY MARKETING LIST: We will only purchase marketing lists from Third Party suppliers who expressly state themselves to be GDPR complaint.
  8. OPT-IN REVIEW: On the anniversary of every second September in every even year we will contact all our customers who had opted-in to give them an ADDITIONAL opportunity to decide whether they wish to remain on our database and continue receiving our email marketing offers and promotions.
  9. ADDITIONAL MEASURE: We will provide a clear ‘Continue Opting-In’ check-box for this purpose. If the customer does not tick this Check-Box, we will remove the customer’s email from our database as an ADDITIONAL MEASURE to the ‘OPT-OUT’ or ‘unsubscribe’ at any time on our clear and visible tick-box that will be on our GDPR Portal.
  10. COOKIES: We use cookies. Our Cookie Policy will automatically appear when you visit our webpage. To continue using our webpage, our cookie will need to be accepted and consented to. You are in control of your cookies. If you wish to disable your cookies, please click here.
  11. WI-FI: All our Hotels provide third-party supplier Wi-Fi connectivity. We give all our visitors the option to expressly ‘OPT-IN’ and consent to future communications. We will not contact you with any offers or promotions if you chose not to opt-in.
  12. CCTV: We use CCTV in our hotels for the purposes of safety, crime prevention and detection and safeguarding in all our public areas including in hotels where we have swimming pools and may be frequented by children. Automated Number Plate Recognition (ANPR) cameras are operated for automated vehicle access. Identified images are processed as personal data. We also collect, record and/or store ad-hoc CCTV Wedding images, details for promotions at Wedding Fayres and Public Events. This CCTV Data is kept in secure environments and access is restricted to the Hotels’ authorised data team and qualified security personnel. We only store the information collected by CCTV for a period of 3 months which allows us to assist regulatory bodies and law enforcement agencies. After 3 months we destroy all CCTV images in a controlled and verified manner. Our CCTV Policy, Authorised Data Team who have limited authorised access to this data, our Secure Environment Procedure and CCTV Data Destruction Policy and Procedures can be found on our GDPR Portal.
  13. THIRD PARTY SUPPLIERS: All relevant Third-Party Data Suppliers’ Data Policies have been sources and retained for reference are stored safely on a shared drive. Only the authorised Hotels data team have access to this data.
  14. PARTNERS & SUPPLIERS DATA POLICY: We will ensure that all our Partners and Suppliers are GDPR compliant in their declaratory statements. We cannot be responsible as to whether they are in fact compliant. The Data Policy links of our Partners and Suppliers can be found on our GDPR Portal, namely they are Salesforce; Rezlynx, Guestline, Synelink, Revinate, RGA, Moneypennies, Amco FM and any new supplier who deals with personal data.
  15. DESTRUCTION OF PHYSICAL DATA: Destruction of physical data is carried out accordingly by authorised third-party data shredding companies whereupon a certificate of destruction is issued when the data is destroyed. We keep this certificate in file for 1 year after which it is destroyed.
  16. TRAINING: From April 2018, and as part of an on-going process with new employees, we will conduct groupwide training and induction for staff and personnel working within our Hotels with access to personnel data namely staff at RECEPTION and within SALES and MARKETING, ACCOUNTS, HUMAN RESOURCES and MANAGEMENT.
  17. LEGAL REQUIREMENT: We will only share your personal data if legally required to do so, or to assist in any recovery proceedings or as part of a complaints procedure as and when prudently necessary.
  18. OUR PLEDGE: Other than any legal requirement to do so, or to assist in any recovery proceedings or as part of a complaints procedure, we DO NOT share your personal data with any Third Parties
  19. YOUR RIGHTS: You have the right to request to see the personal information that we hold on you, as well as request that inaccurate information be corrected. You may ‘OPT-OUT’ of any communication you have previously consented to at any time on our webpage page or Opt-Out link. Any request to update incorrect information should be directed to the Hotels’ Data Protection Officer DPO@corushotels.com or alternatively by post to Data Protection Officer, Corus Hotels Ltd, 1 Auckland Park, Milton Keynes, MK1 1BU. This right excludes all corporate or commercial data. We will not charge you for any personal request made by you and only you unless the request is unfounded or excessive. We may require proof of your valid identity before we supply the information to you.
  20. DATA BREACH: In the event of a data breach Corus Hotels’ Data Protection Officer shall promptly within 48 business hours or immediately after a weekend or a business day after a bank holiday notify the Information Commissioner’s Office and the affected party of any such breach of personal data:
  21. STATEMENT UPDATES: The Hotels reserve the right to update and amend this GDPR DATA GOVERNANCE STATEMENT. All such developments will be deemed notified to you by updating this Data Governance Statement.

Corus Hotels

General Data Protection Rules Compliance Framework Guide

GDPR Portal:

  • GDPR Governance Statement
  • Data Privacy Policy
  • Legal Basis for Processing Personal Data
  • Data Processing & Retention of Personal Data
  • Guests Access Rights

Essential Q&A on Corus Hotels’ GDPR Compliance:

  • GDPR Compliant Standard Operating Procedure
  • GDPR Human Resources
  • GDPR Front of House
  • GDPR Housekeeping
  • GDPR Food & Beverage
  • GDPR Guest Relation, Reservation, Meeting & Events, Sales Office
  • GDPR Accounts / Payroll
  • GDPR Marketing
  • GDPR Leisure Clubs
    • The Regency Hotel Solihull Leisure Club
    • Burnham Beeches Hotel Leisure Club
  • GDPR CCTV

Supplier GDPR Policies

Corus Hotel GDPR Training Records

Corus Hotels – Legal Basis for Processing Personal Data

Corporate and Commercial Individual Data

Corus Hotels (“we”, “us”, “our”) makes a distinction between corporate and commercial data of individuals and their corporate and commercial emails and that of personal data and emails. Corporate and commercial data, including individual corporate and commercial emails, are retained on the basis of legitimate interest to facilitate the ordinary of our business and commercial relationships and transactions and business needs in the course of business dealings. Individuals with corporate or commercial emails may at any time write to the Data Processing Officer at DPO@corushotels.com to remove retention of their data. This can result in Corus Hotels no longer being able to communicate or transact with any such individual and may request a company or body corporate dealing with us to nominate another person expressly willing to receive communication and their corporate and commercial individual data to be retained in the course of business dealings subject always to the person’s individual rights as set out herein. It shall be the responsibility of each company or body corporate to establish the express consent of persons acting on their behalf.

Corus Hotels have set out herein the Legal Basis for Processing Personal Data Customer data. Circumstances where legitimate business interest might apply has been set out below for your reference.

The Legal Basis for Corus Hotels Ltd (collectively referred to as “Hotel”) for processing and/or retaining Personal Data subject to the Data Protection, 1998 and the European General Data Protection Rules (“GDPR”) are:

  • the hotel shall require from all parties who handles its personal data a statement that such data will be process or retained outside the European Union and that the Hotel’s express written consent must be sought for any such processing on the basis of express consent by the Client or on the basis of a clearly evidenced legitimate interest usually necessary to enable the Hotel in the performance of its contractual obligations or to comply with any legal obligations enforceable in the Courts of England and Wales;
  • the Client in booking for stay and/or use of the hotel’s facilities consent to the processing of his or her personal data to enable the Hotel to fulfil the Client’s needs and requirements during the Clients stay at the Hotel and/or use of the Hotel’s facilities;
  • the Employee’s personal data shall be retained on the basis of legitimate interest for a period on 7 years after the Employee leaves the employment of Corus Hotels Ltd. The Client may refer to the Hotel’s Data Privacy Policy weblink on (Please see: Data Processing & Retention of Personal Data on our GDPR Portal)
  • the Hotel needs to receive, retain and process relevant personal details insofar as to enable it to perform its contractual obligation or take necessary steps upon the request of a Client or an Employee prior to entering into a contract;
  • the Hotel as the Data Controller will process and/or retain data insofar as it is necessary for to enable the Hotel to comply with its legal obligations including but not limited to assist the Government’s security agencies as part of any investigative query that may be made and shall retain such data under such circumstances until advised by the said security agencies that such data is no longer required whereupon it shall be destroyed within 7 days of any such final notice;
  • the Hotel such process and retain personal data insofar as it is necessary, subject to particular circumstances, to protect the vital interests of the Client or Employee or any other natural person, for example the need to contact the next of kin or upon a dispute raised by a Client or Employee;
  • the Client or the Employee consents that anonymous personal data relating to the Client or the Employee (all personal identification removed) may be used – when the Hotel is required to act in the public interest or in the exercise of official authority vested in the Hotel as the Data Controller;
  • the Hotel retention of personal data of the Client or the Employee will be insofar as it is necessary for of legitimate interests pursued by the Hotel’s Data Controller or a third party (normal Statutory agencies) which the Client may seek to withdraw such consent at any time and subject to the foregoing subclauses parts (a) to (e) the Hotel will comply with the Client’s request. The Client’s right can be found at The Guest’s Rights with respect to Personal Data under GDPR on our GDPR Portal. All Employee personal data legally required in the course of the Employee’s employment with the Hotel shall be retained until 7 years after the Employee leaves the employment of the Hotel whereupon it shall be destroyed if there is no on-going issues or dispute between the Employee and the Hotel;
  • The Hotel will not retain any data in relation to any child or children and shall in circumstances involving such minors only deal with their parents or guardians as the case may be.

Legitimate Business interest

  1. Direct marketing

The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ This may be where consent is not viable or not preferred, where there is a business need or purpose and there is a balance of business interests between our and person(s) receiving such direct marketing.

During the period a person responds to and communicates with us on our marketing approach we will retain such data securely at the relevant department. Reference may be made to our Data Processing & Retention of Personal Data Policy. Where such correspondence on the initial approach cease or at any time during such communication any person can easily click on the ‘unsubscribe’ link or make a request by contacting  the Data Processing Office at DPO@corushotels.com or our postal address which can be found at Data Privacy Policy – Corus Hotels.

  1. Relevant and appropriate relationship

This may be a direct appropriate relationship, such as where the individual is a client.

  1. Reasonable expectations

As previously discussed, if a controller understands individuals have a reasonable expectation their data will be processed, this may help to make a case for legitimate interests.

Data Processing & Retention of Personal Data Policy

Corus Hotels Ltd will retain your personal data for the period it is validly necessary related to the subject matter of any enquiry, booking, period of stay, transaction, employment period and marketing communication on the basis of business needs and/or a legitimate interest:

We will only keep data which is relevant to your transaction and/or relationship with us as follows:

  • For all Clients of the Hotel once the Client is no longer a guest at the hotel and there are no outstanding matters between the Hotel and the Client, the Hotel will delete all personal data of the Client further to existing legal requirement for two (2) years after the Client’s last use or stay at the Hotel and in any event after that two-year period within seven (7) days of the settlement of any outstanding balance or issues, whichever is the later;
  • For all Employees we will retain personal data for during the period of the employee’s employment and for seven (7) years after the employee leaves the employment of Corus Hotels Ltd and thereafter destroy the same by handing all related files to a certified Data shredding company and remove all related files from our database;
  • Personal data of all Marketing Communications expressly consented to by the Client will be deleted upon the Client opting-out or unsubscribing from further marketing communications. The Client will be provided clear boxes to ‘Opt-Out’ or an ‘unsubscribe to from any further communication at any time and will not receive any such communication material thereafter. The unsubscribe link will be at the end of an email.

Guests Access Rights

Booking or Transacting with the Hotel

As a matter of legitimate business interest, when you enquire, make a reservation and/or communicate with the hotel as an intended guest, you consent for the Hotel to receive, process and retain your data for the intended purpose or until the period of your stay is complete. You may click on our Data Privacy Policy as to the purpose we collect this data and our Data Processing & Retention of Personal Data Policy as to how long we will retain your personal data.

Your Rights

As a guest from a EU Member state your rights as a guest are as follows:

  • The right of access to your data upon your written request to our Data Protection officer at the contact details below. You may follow the same procedure for all your rights below;
  • The right to rectification by following the same;
  • The right to erase;
  • The right to restrict processing;
  • The right to transfer your data to another party with your express written instruction;
  • The right to object;
  • The right not to be included in automated marketing initiatives or profiling.

The Information Commissioners Officer’s guide on how to make a personal request for information can be found by clicking on this link: https://ico.org.uk/for-the-public/personal-information/

Guest Access Requests

We will ordinarily respond to you by email within 30 days of your making any request with respect to your rights stated herein above. For a Postal Response the effective response date will be the date of posting and not receipt. We will not charge you for any personal request made by you and only you unless the request is unfounded or excessive. In the event we decline your request primarily but not exclusively based on conflicting data protection or privity of contract issues, we will notify you – primarily by way of an email – our reasons for declining your request.

If you are not satisfied with our reasons for declining your request, you may write your complaint to the following parties:

  1. The Information Commissioner

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email: casework@ico.org.uk or follow these links: https://ico.org.uk/for-the-public/raising-concerns/ and  https://ico.org.uk/global/contact-us/email/

and/or

  1. Our Data Protection Officer:

The Data Protection Officer,

Corus Hotels Ltd

Corus House

1 Auckland Park

Milton Keynes

MK1 1BU

Email: dpo@corushotels.com

Lawful Basis for Processing Guest Data

You can click on this link to follow our Legal Basis for Processing Personal Data and our Data Processing & Retention of Personal Data on our GDPR Portal

Essential Q&A on Corus Hotels’ GDPR Compliance

  1. Do you use this data for any other purpose than the fulfilment of our contract with you; namely for anything other than the delivery of the service accommodation to our customer?

Corus Hotels does not use personal data for any other purpose other than for the legitimate purpose and interest in delivering the service of accommodation to our Customers.

  1. Do you share this data with any other party and if so who and why?

Corus Hotels does not actively share Customer Data. However, Guestline as our PMS provider, has access to this data and would be deemed as a Data Processor under the GDPR Rules. We have obtained a GDRP Compliance statement from Guestline.

Corus only shares Employee data on the basis of business needs and requirement and legitimate interest.

  1. What period do you retain the data for? (i.e. what period after fulfilment of the contract do you retain the data for prior to disposing of it?)

A maximum of 2 years for Customers and 7 years for Employees as set out hereunder:

  • For all Clients of the Hotel once the Client is no longer a guest at the hotel and there are no outstanding matters between the Hotel and the Client, the Hotel will delete all personal data of the Client further to existing legal requirement for two (2) years after the Client’s last use or stay at the Hotel and in any event after that two-year period within seven (7) days of the settlement of any outstanding balance or issues, whichever is the later;
  • For all Employees we will retain personal data for during the period of the employee’s employment and for seven (7) years after the employee leaves the employment of Corus Hotels Ltd and thereafter destroy the same by handing all related files to a certified Data shredding company and remove all related files from our database;
  • Personal data of all Marketing Communications expressly consented to by the Client will be deleted upon the Client opting-out or unsubscribing from further marketing communications. The Client will be provided clear boxes to ‘Opt-Out’ or an ‘unsubscribe to from any further communication at any time and will not receive any such communication material thereafter. The unsubscribe link will be at the end of an email.
  1. Do you have a process in place that would allow you to respond effectively and timely to requests from us to ascertain the data that you are holding on one of our customers, to correct any errors in that data and following fulfilment of the contract to comply with an individual’s request to erase their data?

Yes – you may contact our Data Processing Officer at DPO@corushotels.com

We have established clear GDPR compliant Access Rights under our Data Privacy Policy:

You have a right to access the personal information that is held about you. Please refer to details of your right by click on this link Guest Access Rights on our GDPR Portal. To obtain a copy of the personal information Corus Hotels holds about you, please email us at DPO@corushotels.com enclosing your postal details and the details of your request.

Alternatively, you can write to us at the following address:
Data Protection Officer
Corus Hotels Ltd

Corus House

1 Auckland Park

Milton Keynes

MK1 1BU

  1. What steps have you taken to secure and protect the data? In particular from a breach or other cyber-attack.

We have entrusted our Data Security protection, including protection against cyber-attacks, to our contractor IDE Group Ltd. IDE Group control and monitor all Corus Head Office and Hotels internet traffic through a security gateway. Credit card data is encrypted on our credit card machines and online payments are only through our secure gateway providers namely Lloyds Bank plc, Global Blue Service Company Austria GmbH and Bank of China (UK) Limited and the latest SSL (Secure Sockets Layer) technology to make sure that the details you provide when placing an order are kept private and secure, making shopping on our website safe. Please refer to Payment Card Security in our Data Privacy Policy on our GDPR Portal.

  1. Where and how is the data stored?
  • Physical Data: Is stored at the Front Desk. The data card is locked in a cabinet and is accessible by authorised personnel of Corus Hotels only. Authorised personnel must sign in and out every time the deal with a secure key.
  • Electronic Data: Data on our PMS system is only accessible by a secure password
  • Destruction of Physical Data: Pursuant to our GDPR Policy physical data which is secured in a locked cabinet with a security key is handed on or before the end of 2 years from the date such data come into being to an authorised and certified Data Shredding Company.
  1. Who can access the data and what controls are in place to prevent unauthorised access?

We have a GDPR Policy and Process in place as to who can access such data. As a hotel operator, the individuals who can access such data are Corus Hotels’ authorised personnel particularly the Front Desk who need to deal with such data on a business need an/or legitimate interest basis.

  1. What is your notification plan in the event of a data breach?

The Data Protection Officer at Corus Hotels Ltd shall promptly within 48 business hours or immediately after a weekend or a business day after a bank holiday notify the Information Commissioner’s Office and the affected party:

  • of any data breach and the circumstances of such breach;
  • the circumstances of such breach;
  • the steps taken to remedy the breach and
  • prevent similar recurrence

GDPR SOPs – May 2018

GDPR – HOUSEKEEPING

Data Held Storage Accessibility Action Plan
Lost Property Files (home address, email address , credit cards, etc.) HSK Office ·         Head Housekeeper

·         Asst. HSK

·         Duty Manager

Any lost property containing personal data must be stored in a locked cabinet
Guest Feedback cards (where applicable) Front Office and then Marketing ·         Housekeeping Personnel

·         Reception Personnel

·         All housekeeping personnel to be trained on how to handle documents containing personal data

·         Feedback Cards to be handed to the Front of House team as soon as collected

Names, Address and Timesheets of Employees HSK Office ·         Head HSK

·         Asst. HSK

·         DM

The data must be stored in a locked cabinet or locked office
Computer HSK Office ·         HSK Manager and Asst.

·         one email- 2 access.

Computer must be on sleep mode and username logged out when left unattended
HSK Office N/A ·         Supervisors

·         HSK Manager

·         Asst. HSK

Must be locked when unattended and have filing cabinet locked so that no one can access personal data
Master Keys HSK Office ·         Supervisors

·         HSK Manager

·         Asst. HSK

Sign in – out register, must be kept in a locked cabinet

HUMAN RESOURCES

Employee Data- Personal info consisting of email, contact number, CV and other personal details (sensitive) Locked Cabinet or Locked Office HR Personnel
  • No documentation containing personal data to be left unattended
  • All Personnel files must be stored in a locked cabinet
  • Where possible keep personnel sickness records separate from other less sensitive data (e.g. simple record of absence)
  • Only allow managers access to health information where they genuinely need it to carry out their job
  • When conducted staff surveys please make sure they are anonymised
HR Office N/A ·         HR Personnel

·         GM

Password/keys only available to HR Personnel and GM
Correction/update to Personal Data HR Office

Personnel Files

HR Personnel ·         Let workers check their own records periodically. This will allow mistakes to be corrected and information to be kept up to date

·         Please make “change to personal details form” available to employees to prompt them to update their personal data

·         Check what records are kept about your workers, and make sure you are not keeping information that is irrelevant, excessive or out of date. Delete information that you have no genuine business need for or legal duty to keep.

Recruitment Data

CVs

HR Office

Personnel Files

·         HR Personnel

·         HODs

·         GM

·         Obtain written consent from employees before disclosing reference

·         Please refer GDPR Policy

Disposal of confidential documents Locked Storage ·         Front of House staff

·         Finance Department

Duty Managers

·         Shredder must be available to the department

·         Please refer to retention of records requirements for specified times of disposal

Computer Monitors/ laptops HR Office HR Personnel ·         Install privacy screen to restrict the view where possible

·         Computer must be on sleep mode and username logged out when left unattended

FOOD & BEVERAGE

Data Storage Accessibility Action Plan
File containing- Holidays, F&B training, Supplier name and contact details. Locked office or locked cabinet Restricted access to managers and supervisors ·         All documentation containing personnel data must be stored in locked cabinet or locked office.

·         Only accessible to authorised personnel who have signed a GDPR policy disclaimer

Desktop Computers Office ·         F&B Supervisors

·         F&B Managers

·         Install privacy screen to restrict the view where possible

·         Computer must be on sleep mode and username logged out when left unattended

PDQ slips containing Credit Cards details Tills and then Front of House ·         F&B Personnel ·         No PDQ slips to be left unattended, make sure is in a secure location at all the time, hand in to a member of staff at reception (not to be left unattended)
Disposal of confidential documents NA NA ·         Shredder must be available to the department and any hard copy document containing personal data must be shredded

·         No documentation containing personal data must be left unattended (e.g. function sheets, guest breakfast list, etc.)

·

F&B Office NA ·         Supervisors

·         Managers

·         No documentation containing personal data to be left unattended

FRONT OF HOUSE

Data Storage Accessibility Action Plan
Guest Registration Cards/Invoices containing, email addresses, names, addresses, telephone numbers, car reg. cards, passports copies, etc.

PDQs Slips

Locked Cabinet ·         Front of House staff

·         Finance Department

·         Duty Managers

·         Registration cards, passport copies, invoices, PDQ slips and any other personal data must be accessible only to front of house personnel/duty Managers/Accounts

·         No registration cards, passport copies,  invoices, PDQ slips or other personal data to be left unattended

·         Registration cards, passport copies,  invoices, PDQ slips must be stored in a locked cabinet

·         Old registration cards, passport copies,   invoices, PDQ slips must be stored in a locked storage room

·         Registration cards, passport copies,  invoices, PDQ slips  and any other personal data must be held for no longer than 2 years

·         Old registration cards,  invoices, PDQ slips and any other personal data must be disposed of by using a certified shredding company and certificate must be provided to the finance department

Guest feedback cards with the opt in box TICKED · ·         Mail by ‘signed for’ post to Marketing Department at Head Office
Desktop Computer Reception/Front Office ·         Front of House Staff

·         Duty Managers

Privacy screen to restrict other staff and guests to view the details of the guests.
Login Reslynx (front office system) PC/Laptop ·         Front of House staff

·         Finance Department

·         Duty Managers

·         Team members must use their own logins

·         Computer must be on sleep mode and username logged out when left unattended

·         Passwords must be changed on regular basis

·         Users who are no longer required must be disactivated within 24 hours

Disposal of confidential documents Locked Storage ·         Front of House staff

·         Finance Department

·         Duty Managers

·         Shredder must be available to the department

·         Please refer to retention of records requirements for specified times of disposal

FOH Office –

storage of staff info, mobile numbers, supplier’s details, function sheets, etc.

Locked Cabinet Only authorised personnel ·         No documentation containing personal data to be left unattended

GUEST RELATION, RESERVATION, MEETING & EVENTS, SALES OFFICE

Data Storage Accessibility Action Plan
Guest complaints, email addresses, contracts,

Sales- Email addresses, revenue, contact number, credit card info

Function Sheets

Invoices

·         Filing cabinet in locked office

·         Locked cabinet

·         PCs/laptop

·         Guest Relation Personnel

·         Reservation personnel

·         Meeting & Events personnel

·         Sales personnel

·         Any documentation containing personal data must be accessible only to Guest Relation, Reservation, M&E and Sales personnel

·         No personal data to be left unattended

·         Documentation containing personal data must be stored in a locked office or locked cabinet

·         Please refer to documentation disposal time table and dispose documentation containing personal data accordingly

·         Dispose of old documentation containing personal data by using a certified shredding company and certificate must be provided to the finance department

·         No personal data may be used to contact anyone proactively unless they have expressly opted in to receive such communication from us. If in doubt please refer to the marketing department

Computers & Laptops containing personal data information Offices Visibility ·         Privacy screen on the computers

·         Computer must be on sleep mode and username logged out when left unattended

Sales and Reservation office Locked Storage Only authorised personnel No documentation containing personal data to be left unattended
Disposal of confidential documents Locked Storage ·         Guest Relation

·         Reservation

·         M&E

·         Sales team

·         DM

·         Shredder must be available to the department and any hard copy document containing personal data must be shredded

·         Please refer to retention of records requirements for specified times of disposal

ACCOUNTS/ PAYROLL

Data Storage Accessibility Action Plan
Financial Data & Documentation (including guest invoices, bank details, credit cards details, P&L, POs, etc.)

Suppliers details

Suppliers invoices

Ledger invoices

·         Filing cabinet in locked office

·         Locked cabinet

Accounts Personnel
  • Any documentation containing personal data must be accessible only to Accounts Personnel
  • No personal data to be left unattended
  • Documentation containing personal data must be stored in a locked office or locked cabinet
  • Please refer to documentation disposal time table and dispose documentation containing personal and financial data accordingly
  • Dispose of old documentation containing personal and financial data by using a certified shredding company and keep certificates on file
Employee Data- Payroll Data ·         Filing cabinet in locked office

·         Locked cabinet

·         HR Personnel

·         Accounts

  • As per above
  • If you collect information about workers to administer a pension or insurance scheme, only use the information for the administration of the scheme. Make sure workers know what information the insurance company or other scheme provider will pass back to you as the employer.
Nest pension ·         PCs/Laptops

·         Personnel files

·         HR/Payroll personnel
  • Only use the information for the administration of the scheme.
Accounts Office NA ·         Accounts team

·         HR

·         DM

  • Privacy screen on the computers
  • Computer must be on sleep mode and username logged out when left unattended
  • No documentation containing personal data to be left unattended
Disposal of confidential documents ·         Locked Storage ·         Accounts Personnel

·         DM

  • Shredder must be available to the department and any hard copy document containing personal data must be shredded
  • No documentation containing personal data must be left unattended
  • Please refer to retention of records requirements for specified times of disposal

MARKETING

Data Storage Accessibility Action Plan
Guest Personal Data available on various database/social media PC/Laptop Marketing Personnel
  • No documentation containing personal data to be left unattended
  • All guest data to be available only on password protected pc/laptop
  • All databases and social media must be accessible only by authorised personnel and password protected
Disposal of confidential documents PC/ Laptop
  • Shredder must be available to the department and any hard copy document containing personal data must be shredded
  • No documentation containing personal data must be left unattended
  • Delete conversation on social media older than two weeks, unless needed
  • Deal with opt/out request as soon as possible and no later than specified on company GDPR policy
Guest feedback cards with the opt in box TICKED Locked cabinet Marketing personnel ·         Marketing receives guest feedback cards from hotels and retains opted-in ones only for marketing and promotional purposes only.
Computer Monitors/ laptops Marketing office Marketing Personnel ·         Install privacy screen to restrict the view where possible

·         Computer must be on sleep mode and username logged out when left unattended

Leisure Clubs

GDPR SOP – Solihull Leisure Clubs

Data Storage Accessibility Action Plan
Membership forms ·         Filing cabinet in locked office

·         Locked cabinet

·         Leisure Club Staff

·         Finance Department

·         Duty Managers

  • Any documentation containing personal data is accessible only to authorised Leisure Club Staff
  • All such personal data must be kept under lock and key accessible only to authorised Leisure Club Staff who must sign a Key In & Out Log every time they use the key to gain access to such data.
  • The key must always be kept by the person authorised to do so and returned to the Leisure Club Manager or alternatively the Hotel’s Operations or General Manager for safekeeping when the club closes for the day
  • No personal data is to be left unattended.

·         No personal data may be used to contact anyone proactively unless they have expressly opted in to receive such communication from us. If in doubt, please refer to the marketing department

Day passes Folder in locked cabinet ·         Leisure Club Staff

·         Finance Department

Duty Managers

·         Last 30 days data that are no longer active shall be kept at the leisure facility within the Hotel.

·         All inactive data beyond 30 days and up to 3 years is kept in the designated locked office within the Hotel.

·         Leisure Manager shall keep the main key and spare key in GM office.

·         Any data over 3 years shall be destroyed by a certified company within 1 year from the end of the 3-year period.

Residents; privacy statements on membership forms Kept in locked leisure office as above. Data up to 3 years. ·         Leisure manager and HR manager This is the exact privacy statement on membership forms

1.         In compliance with the Data protection act 1998; we take the privacy of our members very seriously. If you have any requests concerning your personal information or any queries in regard to our processing, please contact the club manager. The statements below explain how we use your personal information.

·         Information collected: We Collect personal information from you through the membership form and your use of our facilities. The information we collect may relate to your physical health or condition.

·         Use of your information: We use your personal information for the purposes of providing and personalising our membership services and may contact you from time to time informing you or related services or products. If you do not wish to receive such information you should instruct the club manager accordingly, in writing. We may also contact you if you have not recently attended the facilities to offer encouragement or seek information for the reasons for your recent absence. Again, if you do not wish to be contacted in this way please instruct the club manager in writing.

Privacy notices on sign in books Same as above ·         Same as above By selecting yes, you agree to receive e-mails or phone calls regarding information about memberships and sales opportunities within our leisure club. By signing you accept full responsibility for yourself and the person(s) who are accompanying with, particularly all children and teenagers up to the age of 18. You are aware that use of the club is entirely at your own risk and that no liability, damage or injury arising from your use without supervision shall be the responsibility of the owner or manager or operator of the club. You are also signing to agree and abide by the Terms and Conditions set within The Regency Leisure Club. Terms and Conditions are found displayed at the notice board by the leisure reception. You can request a copy from the Hotel reception at any time. Finally, you are signing to confirm that you are physically fit enough to engage in exercise within the club. If you are unsure of this, please contact your GP for approval prior to exercise. We also accept no responsibility or liability for personal belongings within the leisure club. Guests and members are responsible for their own possessions, including any damage and loss to personal effects and belongings.

 

Computers & Laptops containing personal data information Leisure reception desk. Shared login – leisure club staff only. ·         Privacy screen on the computers

·         Computer must be on sleep mode and username logged out when left unattended

CCTV coverage Two systems operating, one internal leisure and the other is general hotel system ·         Internal – Maint manager only has code.

·         General Hotel – GM, Ops and Maint mgr. have codes

·         Images are recorded over every 28 days on both systems, images can only be viewed or saved by using code and can only be saved onto a network secured device.
CCTV statement Generic statement On wall in leisure ·         “Security Notice: These premises are under CCTV surveillance for the purposes of crime prevention and public safety. Operated and controlled by Corus Hotels Limited.”
Disposal of confidential documents Locked Storage Leisure manager and HR manager.
  • Shredder must be available to the department
  • Please refer to documentation disposal time table and dispose documentation containing personal data accordingly
  • Dispose of old documentation containing personal data by using a certified shredding company and certificate must be provided to the finance department

GDPR SOP – Burnham Leisure Clubs

Data Storage Accessibility Action Plan
Membership forms ·         Filing cabinet in locked office

·         Locked cabinet

·         Reception and Sales Office Staff

·         Finance Department

·         Duty Managers

  • Any documentation containing personal data is accessible only to authorised Reception and Sales Office staff.
  • All such personal data must be kept under lock and key accessible only to authorised Reception and Sales Office staff who must sign a Key In & Out Log every time they use the key to gain access to such data.
  • The key must always be kept by the person authorised to do so and returned to the Front Office Manager or alternatively the Hotel’s Operations or General Manager for safekeeping.
  • No personal data is to be left unattended.

·         No personal data may be used to contact anyone proactively unless they have expressly opted in to receive such communication from us. If in doubt, please refer to the marketing department

Residents; privacy statements on membership forms Kept in locked leisure office as above. Data up to 3 years. ·         Front Office Manager and HR manager This is the exact privacy statement on membership forms

1.             In compliance with the Data protection act 1998; we take the privacy of our members very seriously. If you have any requests concerning your personal information or any queries in regard to our processing, please contact the club manager. The statements below explain how we use your personal information.

·          Information collected: We Collect personal information from you through the membership form and your use of our facilities. The information we collect may relate to your physical health or condition.

·         Use of your information: We use your personal information for the purposes of providing and personalising our membership services and may contact you from time to time informing you or related services or products. If you do not wish to receive such information you should instruct the club manager accordingly, in writing. We may also contact you if you have not recently attended the facilities to offer encouragement or seek information for the reasons for your recent absence. Again, if you do not wish to be contacted in this way please instruct the club manager in writing.

Privacy notices on sign in books Same as above ·         Same as above By selecting yes, you agree to receive e-mails or phone calls regarding information about memberships and sales opportunities within our leisure club. By signing you accept full responsibility for yourself and the person(s) who are accompanying with, particularly all children and teenagers up to the age of 18. You are aware that use of the club is entirely at your own risk and that no liability, damage or injury arising from your use without supervision shall be the responsibility of the owner or manager or operator of the club. You are also signing to agree and abide by the Terms and Conditions set within The Regency Leisure Club. Terms and Conditions are found displayed at the notice board by the leisure reception. You can request a copy from the Hotel reception at any time. Finally, you are signing to confirm that you are physically fit enough to engage in exercise within the club. If you are unsure of this, please contact your GP for approval prior to exercise. We also accept no responsibility or liability for personal belongings within the leisure club. Guests and members are responsible for their own possessions, including any damage and loss to personal effects and belongings.

 

Computers & Laptops containing personal data information Reception Desk Shared login – reception staff only. ·         Privacy screen on the computers

·         Computer must be on sleep mode and username logged out when left unattended

CCTV coverage General hotel system ·         General Hotel – GM, Ops and Maint mgr. have codes ·         Images are recorded over every 28 days on both systems, images can only be viewed or saved by using code and can only be saved onto a network secured device.
CCTV statement Generic statement On wall in in Reception ·          “Security Notice: These premises are under CCTV surveillance for the purposes of crime prevention and public safety. Operated and controlled by Corus Hotels Limited.”
Disposal of confidential documents Locked Storage Front Office Manager and HR manager.
  • Shredder must be available to the department
  • Please refer to documentation disposal time table and dispose documentation containing personal data accordingly
  • Dispose of old documentation containing personal data by using a certified shredding company and certificate must be provided to the finance department