Privacy Statement

Introduction

Bolsover Cruise Club Limited is a limited company incorporated in England & Wales with registration number 05729112 and whose registered office address is at 35 Sherwood Street, Warsop, Mansfield, Nottinghamshire, NG20 0JR (“Bolsover”, “we” “us”, “our”).

Bolsover takes data protection very seriously, we are aware of our obligations under the General Data Protection Regulation and will look at minimisation opportunities and ways to limit the processing of your data where feasible. Confidentiality is very important and at the very core of our business.

This Privacy Statement is provided in a layered format so that you can easily click through to the specific areas set out below.

1. What Information do we obtain about you?
2. How your personal data is collected
3. Processing and handling of your personal data
4. Transfer & sharing of your personal data
5. When we transfer your data overseas
6. Security of your personal data
7. Retention
8. Your legal rights
9. Glossary

What information do we obtain from you?

Personal data or personal information, means any information about an individual from which that person can be identified, it does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

(A) Identity data – such as your name, username or similar identifier, passport, marital status, title, date of birth and gender

(B) Contact data – email address, mailing address and telephone number (including mobile telephone numbers and emergency contact information and passport/visas/immigration details);

(C) Financial data – Payment information, such as a credit or debit card number

(D) Transaction data – including details of the transactions you have carried out with us, details about payments to and from you and other details of products and services you have purchased from us

(E) Technical data – usernames and passwords, the information collected automatically from you when you visit our websites or mobile applications includes: Internet Protocol (“IP”) address used to connect your computer to the Internet, Computer, device and connection information, such as browser type and version, operating system, mobile platform and unique device identifier (“UDID”) and other technical identifiers, Uniform Resource Locator (“URL”) click stream data, including date and time, and content you viewed or searched for on a Service, location information for location-aware Services to provide you with more relevant content for where you are in the world.

(F) Marketing and Communications data – Comments and feedback, Interests and communication preferences

Essentially, we will require such information as is necessary to enable us to provide you with the booking service you and your family seek from us.  The information we process will include personal data and may include special category personal data (also known as sensitive personal data), such data may be necessary given the nature of the booking service you seek for your party and yourself and it may be held by us in a paper and/or electronic format.

Special categories of data may include: dietary requirements which may disclose your religious or philosophical beliefs, health, race or ethnicity, sex life and/or your sexual orientation, political opinions, trade union membership, generic and biometric data.

We only collect special category data where it is strictly necessary in order to deliver the travel service that you have purchased and where you have given us your explicit consent to do so. You are not under any obligation to consent to us processing your sensitive personal data. However, without your consent, we won’t be able to make the necessary arrangements to provide the travel services that you have booked or are attempting to book. As a result, if you do not provide your consent, we will be unable to proceed with your booking.

• We may use and disclose automatically collected information for any purpose, except where we are restricted by applicable law. If we combine any automatically collected information with personal information, the combined information will be treated by us as personal data.
• We may also use aggregated information for any purpose, however, this information does not identify specific individuals and so is not personal data.

If you fail to provide personal data

Where we require details from you in order to provide you with your chosen travel services, if you do not provide us with the necessary details then we will not be able to provide the services you have booked or are attempting to book.

In this case, depending on when you fail to provide the necessary data, we may either not be able to process your booking or we or the Supplier/Principal (when we act as agent) may have to cancel your booking. This may then be treated as a cancellation by you in accordance with our booking terms and conditions and/or the Supplier/Principals booking conditions. We will notify you if we or the Supplier/Principal are unable to process your booking for this reason.

How your personal data is collected

The legal basis for processing your personal data depends on the circumstances.  The basis may be:

• you have given your consent to the processing of your personal data; or
• the processing is necessary to perform a contract you have entered into.  For instance, where you have entered into a contract for a holiday service or wish us as your agent to do so on your behalf, we and/or the Supplier/Principal will invariably require your and your party’s personal data;
• the processing may be necessary for the purposes of the legitimate interests pursued by us.  In these circumstances the legitimate interests could be the interest a travel company has in providing travel and related services to consumers.
• Where we need to comply with a legal or regulatory obligation

We use different methods to collect data from and about you including through:

1. Direct Interactions – making of a booking, fulfilling marketing requests sent by you, give us feedback, you entering competitions or promotions and by using our live chat service (Click4assistance)
2. Automated technologies – as you interact with our website, we may automatically collect data about your equipment, browsing patterns and actions
3. Third parties – via analytics providers such as Google and Cloudflare based outside the UK. Identity data from publicly available sources such as Companies House and the Electoral register based inside the UK.

Processing/handling of your personal data

Our use of your personal data is subject to your instructions, the UK General Data Protection Regulation (GDPR), the Data Protection Act, 2018 and any replacement data protection legislation in force in the United Kingdom and our duty of confidentiality owed to you as our customer.

If you give your consent to us to send direct marketing communications, you have the right to withdraw that consent to marketing at any time by contacting us.

Purpose:

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To register you as a new customer.	(a) Identity; (b) Contact.	Performance of a contract with you.
To process and deliver your booking including:   (a) Manage payments, fees and charges; (b) Collect and recover money owed to us.	(a) Identity; (b) Contact; (c) Financial; (d) Transaction; (e) Marketing and Communications.	(a) Performance of a contract with you; (b) Necessary for our legitimate interests (to recover debts due to us).
To manage our relationship with you which will include:   (a) Notifying you about changes to our terms or Privacy Policy; (b) Asking you to leave a review or take a survey.	(a) Identity; (b) Contact; (c) Marketing and Communications.	(a) Performance of a contract with you; (b) Necessary to comply with a legal obligation; (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services).
To enable you to partake in a prize draw, competition or complete a survey.	(a) Identity (b) Contact (c) Marketing and Communications	(a) Performance of a contract with you; (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business).
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).	(a) Identity (b) Contact (c) Technical	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise); (b) Necessary to comply with a legal obligation.

 

We use the information you provide primarily to provide travel and related services to you including:

• external auditing, the management of complaints and training; these aspects may be undertaken by a third party, but it will be on a strictly confidential basis and we will ensure that access to your data is controlled;
• to comply with our legal and regulatory obligations;
• contacting you for the purpose of investigating opportunities for further processing or consent.

If you no longer want to receive information from us

If you no longer wish us to communicate with you please write to our Data Privacy Manager with the subject heading “No more contact” at Bolsover Cruise Club, 6 Lindrick Way, Chesterfield S43 4XE or by emailing our Data Privacy Manager at [email protected]

Transfer and sharing of your information

Under no circumstances will we sell your personal data to a third party. We will, however, share certain personal data with other service providers as part of the booking service being provided to you, e.g. cruise operators, associated providers and agents. Many of our external third parties are outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

We will require all third parties to respect the privacy of your personal data and to treat it in accordance with the law.

In the event of our insolvency we, or any appointed insolvency practitioner, may disclose your personal information to the Civil Aviation Authority (CAA), and/or the Association of British Travel Agents (ABTA) so that they can assess the status of your booking and advise you on the appropriate course of action under any scheme of financial protection. The CAA’s General Privacy Notice is at https://www.caa.co.uk/Our-work/About-us/General-privacy-notice/ ABTA’s Privacy Notice is at https://www.abta.com/privacy-notice.

We may also have to share your personal data with the parties set out below for the purposes set out in the table above

• Internal third parties as set out in the Glossary
• External third parties as set out in the Glossary

When we transfer your data overseas

We will not transfer your personal data abroad without your explicit prior consent unless the booking you make, or require us to make for you, is based outside the UK. However, please be aware that countries outside the EEA will have different laws relating to the protection of personal data to that provided in the UK under the GDPR.

Where we are unable to rely on one of the safeguards outlined below when transferring data to those suppliers outside the UK, we will rely on the derogation under Article 49 of the UK GDPR in order to transfer your personal data to countries outside the UK (as the transfer relates to the performance of a contract for your benefit), and you hereby permit us to do so.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
• Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

Security

We have robust information security management systems in place to ensure the safety, security, integrity and confidentiality of your personal data; we use a variety of data security measures intended to ensure the safety, security, integrity and confidentiality of your personal data. We are familiar with and shall at all times comply with the GDPR and other applicable data protection legislation.

Our IT systems, containing customer data, have rigorously audited technical controls to ensure the confidentiality and integrity of all information is maintained at all times. As a requisite of our Plastic Card Industry (PCI) Compliance, Vulnerability Testing and Penetration Testing is performed regularly by independent Third Parties. We are Cyber Essentials accredited.

A multiple firewall configuration is maintained in order to protect the network.  The outer firewall protects the network from internet attack and the inner firewall segments the network for all devices within PCI scope.

Our website is hosted off site and therefore is not connected to our Network.

Direct client access to our database is not permitted. Client booking information and customer data recall is via an external web server using strict security control.

We maintain full security against virus and Malware attack using the latest Intel McAfee Virus scan Enterprise plus Antispyware Enterprise software deployed across our network.

GFI Plus software is similarly network-wide deployed to monitor PC and server events to detect any malicious activity and is monitored regularly.

CCTV

We have CCTV cameras in operation monitoring the exterior of our Head Office building.  We also have a static camera to enable us to view, but not record, the activity inside our Meadowhall store.  We display notices to make it clear that these areas are subject to surveillance.

We will only release footage where there is a legal obligation, to protect the vital interests of a data subject or another person.  Processing is necessary for the purposes of our legitimate interests and may be overridden by the interests or fundamental rights and freedoms of data subjects especially where the data subject is a child.

We use this information as necessary for our legitimate interests in administering your visit, ensuring site security and the safety of visitors and staff.

CCTV recordings are kept for a period of 28 days before they are recorded over.

Telephone calls

We do record our telephone calls to ensure service levels, for training and to aid resolving complaints/disputes.  Credit card details are not recorded for PCI compliancy.

Contact Us – Data Privacy Manager

Our Data Privacy Manager is Claire Rogers, and she can be contacted by email at [email protected] or you can write to her at Bolsover Cruise Club, 6 Lindrick Way, Chesterfield, S43 4XE

Retention of Personal Data

We have a Data Retention & Destruction Policy and in terms of that policy we destroy personal data after 7 years of booking inactivity, but reserve the right to do so earlier if we deem it appropriate.  However, we also reserve the right in certain circumstances to hold your data for longer than 7 years, but in such event, it will not be accessible except in a secure retrieval process prescribed in our policies and procedures.  In the event of us retaining your personal data for in excess of 7 years, we also reserve the right to securely delete some of your personal data that we do not regard as necessary to retain (minimisation) in the circumstances.

Data Protection Regulator, Complaints Handling and Modern Slavery Statement

You may complain about our conduct in relation to data protection matters to the regulator of data protection in the UK, The Information Commissioner, by writing to them at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephoning them on 0303  123 1113.

Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about thee rights:

• Request access to your personal data
• Request correction of your personal data
• Request erasure of your personal data
• Object to processing of your personal data
• Request restriction of processing your personal data
• Request transfer of your personal data
• Right to withdraw consent

If you have any questions about our Privacy Statement or want to exercise your rights under the data protection legislation to see a copy of the information that we hold about you, please contact us with the subject heading “Data Privacy” to [email protected]  or send a signed letter addressed to Claire Rogers, Data Privacy Manager, Bolsover Cruise Club, 6 Lindrick Way, Chesterfield S43 4XE.

No fee is usually required to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit – we try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Glossary

LAWFUL BASIS

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

THIRD PARTIES

External Third Parties

1. Suppliers of travel services, such as cruise companies, hotels, acting as processors based worldwide, who provide the travel services that make up any booking of travel services that you make with us.
2. Service providers acting as processors based in the UK and Europe, who provide IT and system administration services.
3. Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK, who provide consultancy, banking, legal, insurance and accounting services.
4. HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.

YOUR LEGAL RIGHTS

You have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

• if you want us to establish the data’s accuracy;
• where our use of the data is unlawful but you do not want us to erase it;
• where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
• you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Revisions to this Statement

We may change this Statement from time-to-time.

This Statement was last updated: April 2023