Data Protection Policy
1.1 This Policy
The aim of this policy is to set forth the manner in which Travamigos Limited will strive to ensure compliance with the General Data Protection Regulation 2016, as well as local legislation applicable to data protection (collectively referred to as “Data Protection Legislation”). The aim of Data Protection Legislation is to protect the rights and freedoms of natural persons (excluding, therefore, companies and similar legal persons) and to ensure that their personal data is not processed without their knowledge and, whenever possible, that it is processed with their consent.
Schedule 1 to this policy explains a number of commonly used terms which are crucial to a proper and full understanding of the scope of Data Protection Legislation. Stakeholders are urged to familiarize themselves with these terms.
1.2 Application of Data Protection Legislation and this policy
Data Protection Legislation applies to the processing of personal data wholly or partly by automated means (e.g. by computer) and to the processing other than by automated means of personal data (e.g. paper records) that form part of a filing system or are intended to form part of a filing system. Personal data which does not fall within these parameters is therefore excluded from the scope of Data Protection Legislation and, therefore, outside the scope of this policy and other policies adopted by Travamigos Limited, which are of relevance to Data Protection.
1.3 Review of policy
Travamigos Limited is committed to reviewing this policy, as well as other policies related to Data Protection Legislation, at least once every calendar year, with a view to ensuring that they adequately cater for Travamigos Limited’s needs. Other events, such as legislative changes or court judgements, may lead to revisions of this policy. It is the responsibility of the Data Protection Officer to initiate reviews as required in accordance with this policy. Policy changes will be subject to acceptance by the Board of Directors of Travamigos Limited.
1.4 Availability of Policy
This policy, as well as other policies related to Data Protection, are not restricted documents and shall be made available to all persons employed by Travamigos Limited. Indeed, employees of Travamigos Limited are expected to be familiar with its contents, and [Data Protection Officer] is to promote awareness of these policies. They may, at the discretion of the Data Protection Officer, be made available to persons outside of Travamigos Limited, such as subcontractors and suppliers.
2. Commitment to policy
Travamigos Limited is committed to compliance with Data Protection Legislation, and the protection of the rights and freedoms of individuals whose information Travamigos Limited collects and processes in accordance with Data Protection Legislation. The aim of this document is to outline the manner in which this will be done. Other documents regulate the manner in which compliance with certain specific aspects of Data Protection Legislation will be achieved. A list of all documents connected to or relevant to compliance with Data Protection Legislation is set forth in Schedule 2 attached to this policy. This Schedule may be updated or amended from time to time. It is the responsibility of the Data Protection Officer to ensure that this Schedule is updated as required to reflect policies in force at any particular time.
This policy, as well as the policies listed in Schedule 2 of this policy, apply to the processing of personal data by Travamigos Limited. Personal data includes data held by Travamigos Limited on customers, employees, and suppliers.
For the purpose of facilitating compliance with Data Protection Legislation, Travamigos Limited uses GDPR Auto. This software is to serve as the central management tool for the management of personal data within Travamigos Limited. Access to GDPR Auto shall be limited to the following persons:
- Andrew Wormington – Data Protection Officer
Additional access to GDPR Auto may be granted by the Data Protection Officer and a record of access having been granted shall be retained.
The Data Protection Officer shall be responsible for reviewing, at least on an annual basis, the register of processing contained within GDPR Auto for the purposes of ensuring that it correctly and comprehensibly maps the processing of personal data undertaken from time to time by Travamigos Limited.
This policy applies to all employees of Travamigos Limited. A breach of this policy will be taken seriously, and may constitute grounds for the issuing of a warning or, in certain cases, grounds for dismissal. Employees should be aware that Data Protection Legislation imposes, in certain instances, criminal sanctions for breaches.
In cases where Travamigos Limited entrusts third parties with the processing of personal data, appropriate contractual arrangements must be in place to ensure that (i) the third party adheres to confidentiality obligations; (ii) requires the third party to comply with Data Protection Legislation; and (iii) allows Travamigos Limited the right to audit the third party to ensure such compliance. The Data Protection Officer shall be responsible for effectively communicating this requirement to Travamigos Limited management as and when required.
3. Responsibility for compliance
Responsibility for compliance with Data Protection Legislation rests, ultimately, with the Board of Directors of Travamigos Limited. However, the Board of Directors exercises its authority through, and has delegated responsibility to their Data Protection Officer. This notwithstanding, the management of Travamigos Limited is expected to play an active role in ensuring compliance with Data Protection Legislation and is expected to be conversant with the essential requirements emerging from it. Management is expected to work hand in hand with the person or persons responsible for compliance with Data Protection Legislation, including The Data Protection Officer.
The person delegated with primary responsibility for promoting compliance with Data Protection Legislation shall be the Data Protection Officer, who shall respond directly to the Board of Directors.
The Data Protection Officer shall be responsible, on a day-to-day basis, for the following:
- 3.3.1 Promoting compliance within Travamigos Limited with all policies related to Data Protection Legislation;
- 3.3.2 Periodic review of the same policies;
- 3.3.3 Security and risk management in relation to compliance with the policy;
- 3.3.4 Creation of awareness within Travamigos Limited of the requirements of Data Protection Legislation.
From time to time Travamigos Limited shall organise internal or external training courses for employees. Employees are expected to attend such training as and when requested.
4. Fundamental Principles of Data Protection
Data Protection Legislation provides that the processing of personal data is to be carried out in compliance with a number of principles. Travamigos Limited is committed to ensuring that it complies fully with these principles. The principles are listed and explained below. Each of the principles is of equal importance; no principle takes priority over the other.
4.1 Principle 1: Personal data must be processed lawfully, fairly and transparently
Lawfulness: This means that Travamigos Limited must ensure that a lawful basis for processing exists, for example that the consent of the data subject has been obtained, the processing is required for the purposes of fulfilling contractual obligations, etc. This ensures that data is processed lawfully. GDPR Auto is to be utilised for the purposes of recording the lawful basis of processing.
Fairness: This means that Travamigos Limited has to make certain information, as detailed further in this policy, available to its data subjects.
Transparency: This means that the data subject must know why his data is being processed. It also means that Travamigos Limited is to provide data subjects with certain information. When dealing with data subjects, Travamigos Limited will communicate with data subjects using language that is easy to understand, is clear, and is free of legal jargon. Travamigos Limited will strive to use privacy notices that are detailed and specific, and which comply with the principle of transparency. A sample privacy notice for use by Travamigos Limited is included in this policy. This notice will require customisation depending on its contextual use, and for this purpose users of the privacy notice are required to liaise with the Data Protection Officer.
Information which must be provided to data subjects includes the following:
- the identity and the contact details of Travamigos Limited and, if any, of the Travamigos Limited’s representative;
- the contact details of D, if any;
- the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
- the period for which the personal data will be stored;
- the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions for exercising these rights, such as whether the lawfulness of previous processing will be affected;
- the categories of personal data concerned;
- the recipients or categories of recipients of the personal data, where applicable;
- where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data;
- any further information necessary to guarantee fair processing.
4.2 Principle 2: Personal data can only be collected for specific, explicit and legitimate purposes
When obtaining personal data, the purpose for which the data is obtained must be specified. Personal data which is obtained for one purpose must not, according to Data Protection Legislation, be used for another purpose that differs from the purpose for which it was originally obtained.
Schedule 3 of this policy sets out the processes to be followed for the purposes of ensuring compliance with this principle.
4.3 Principle 3: Personal data must be adequate, relevant and limited to what is necessary for processing
This means that Travamigos Limited should not collect personal data which is not necessary for the purposes for which it is being obtained. Travamigos Limited is aware that holding personal data, in effect, constitutes a risk and is therefore fully committed to ensuring compliance with this principle.
Compliance with this principle requires both planning at the conceptual stage of any project entailing the collection of personal data, and ongoing review. It is the responsibility of persons driving projects to ensure that this principle is kept at the forefront of any project which will require the collection of personal data. Liaison with the Data Protection Officer is required in order to ensure that data collected does not exceed what is strictly required. The Data Protection Officer is required to review data collection sources on at least an annual basis to ensure compliance with this principle.
4.4 Principle 4: Personal data must be accurate and kept up to date
This means that personal data held must be subjected to periodic review and updated as necessary. GDPR Auto is to be utilized for the purposes of periodically checking with data subjects that data held is accurate and up to date. Data which is not accurate should – if not updated – be removed and securely destroyed. The Data Protection Officer is responsible for driving compliance with this principle. The Data Protection Officer is to ensure that appropriate procedures are in place to ensure that personal data is accurate and up to date. These procedures may vary depending on the nature of the personal data at issue, and other factors.
Data subjects have a right to request that data held by Travamigos Limited about them be rectified to ensure that it is accurate and up to date. These requests must be acted upon within one month in accordance with the policy applicable to Subject Access Requests. The Data Protection Officer is responsible for oversight of this process using, where applicable, the functionality available in GDPR Auto.
The Data Protection Officer is to ensure that in cases where third parties have been given data which is not accurate or is not up to date, then these organisations will be informed of this and, if accurate and up to date information is obtained, will be passed on this information.
4.5 Principle 5: Personal data should be stored in a way that the data subject can be identified only as long as is necessary for processing.
This principle requires Travamigos Limited to ensure that personal data is not kept longer than is necessary. When the purpose for which personal data is being processed is exhausted, then personal data is to be pseudoaonymized, anoymised or deleted using the functionality within GDPR Auto.
This principle also requires that data is not to be retained beyond what is strictly necessary. Retention periods for different types of data differ, and are established in a separate retention policy. GDPR Auto is configured to raise alerts on approaching expiry of retention periods for personal data. It is the duty of the Data Protection Officer to then determine – liaising with other members of staff as necessary – whether deletion or anonymization (using GDPR Auto) is required, or whether there exists a circumstance justifying the retention of personal data beyond its retention period (e.g. the existence or threat of litigation, etc). Any such circumstances are to be recorded by the Data Protection Officer.
4.6 Principle 6: Personal data must be processed in a secure manner
This means that the Travamigos Limited is obliged to ensure that appropriate technical (e.g. password protection and firewalls) and organisation measures (training of staff and rules on use of personal devices) are in place to ensure that personal data is safe and secure. The Data Protection Officer will carry out a risk assessment taking into account all the circumstances of Travamigos Limited’s processing operations. All company staff are required to follow policies in place to ensure compliance with this principle.
4.7 Principle 7: Accountability
This principle requires that Travamigos Limited not only complies with the principle above, but is able to demonstrate that it does so. Compliance will be demonstrated through the records generated by GDPR Auto, the policies adopted by Travamigos Limited, as well as documents generated as a result of the policies.
5. Rights created by Data Protection Legislation
Data Protection Legislation grants data subjects certain rights which Travamigos Limited is obliged to uphold. These rights are a critical cornerstone of Data Protection Legislation and Travamigos Limited is committed to upholding them in full.
GDPR Auto includes the necessary functionality to assist Travamigos Limited in fulfilling its obligations to ensure that data subjects can exercise their rights fully and in full conformity with Data Protection Legislation.
6. Consent as a basis for processing Personal Data
In many instances, Travamigos Limited processes the personal data of data subjects on the basis of their consent. In order for consent to provide a proper legal basis for processing it must meet ALL of the following criteria:
- 6.1.1 It must be explicit and must be freely given;
- 6.1.2 It must be specific and informed;
- 6.1.3 It must constitute an unambiguous confirmation of the data subject’s intentions. This can be either by a statement or by a clear ambiguous action. In other words, non-action or silence does not constitute consent.
In order for consent to form a proper basis of processing, it is also necessary to ensure that the data subject is fully aware of the intended processing that will happen with his data, and that he has agreed to this. Consent which is obtained as a result of pressure exerted on the data subject, or obtained in circumstances where the data subject will suffer some adverse effect if consent is not granted, is not valid consent.
Data subjects can withdraw their consent at any time.
GDPR Auto can be used, where necessary, for the purposes of ensuring that valid consent is obtained and, furthermore, for the purposes of ensuring that this consent is properly recorded. Other documents to obtain consent can also be used, provided these are recorded in GDPR Auto.
For special categories of data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists. Again, GDPR Auto can be used for this purpose. Other documents to obtain consent can also be used, provided these are recorded in GDPR Auto.
Special considerations apply in cases where Travamigos Limited processes data of persons under the age of 16 years for the provision of online services to these persons. In these cases, the consent the parents or legal guardians of these persons must also be obtained.
7. Data Security and Safety
All employees of Travamigos Limited have an important role to fulfil in order to ensure that personal data is kept safe. In particular, personal data should not be disclosed to third parties without prior consultation with the Data Protection Officer.
Employees are required to follow such policies which may be in force from time to time regulating data security and safety.
8. Retention and disposal of data
Travamigos Limited has in place policies which regulate the duration for which personal data is to be kept. These are to be implemented strictly, with the assistance of GDPR Auto. In the event of personal data being kept beyond its retention period, this must be justified and reason justifying the extended retention recorded.
Personal data may only be stored for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.
Personal data, when disposed, must be disposed of securely.
9. International Data transfers
Data Protection Legislation regulates the transfer of data to countries outside of the European Economic Area.
The transfer of personal data outside of the European Economic Area is prohibited unless one of the following conditions applies:
- 9.2.1 An adequacy decision exists: in other words, the European Commission has determined that a country outside the European Economic Area offers an appropriate level of protection. This list is updated from time to time and can be found at the following link http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
- 9.2.2 A Privacy Shield applies: this may apply in cases of transfer of personal data to an entity in the United States. A transfer may be permitted if the entity is signed up to the Privacy Shield, details of which may be found at the link above.
- 9.2.3 Binding corporate rules: if Travamigos Limited has adopted binding corporate rules for the transfer of data outside the EU;
- 9.2.4 Model contract clauses: if Travamigos Limited has adopted model contract clauses approved by the relevant supervisory authority.
- 9.3 In the absence of any of the above, a transfer of personal data to a third country can only take place if:
- 9.3.1 the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data existing due to the absence of an adequacy decision and appropriate safeguards;
- 9.3.2 the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- 9.3.3 the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- 9.3.4 the transfer is necessary for important reasons of public interest;
- 9.3.5 the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
- 9.3.6 the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
Personal Data transfers of the nature set forth in this paragraph are only to happen following consultation with the Data Protection Officer.
Schedule 1 – Definitions
9.6 Article 4 definitions
Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data subject – any living individual who is the subject of personal data held by an organisation.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior.
1. Purpose and Ownership
The aim of this Schedule is to establish procedures which will assist Travamigos Limited to ensure compliance with the principle that Personal Data can only be collected for specific, explicit and legitimate purposes.
The Data Protection Officer is responsible for pro-actively promoting compliance with this procedure. However all employees are obliged to be conversant with it and to apply it in practice. It applies in all circumstances in which Travamigos Limited collects personal data.
The Data Protection Officer is responsible for ensuring that privacy notices are used as required and in accordance with this policy.
2. Use of GDPR Auto
The Data Protection Officer is responsible for ensuring that the legal basis for processing personal data and special categories of personal data is clearly identified and documented using GDPR Auto.
Personal data may only be processed if the purpose (or purposes) for processing has been identified and one of the following conditions exists, which must be documented in GDPR Auto:
- 2.2.1. the data subject has given consent to the processing of his personal data for one or more specific purposes;
- 2.2.2. the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- 2.2.3. the processing is necessary for compliance with a legal obligation to which Travamigos Limited is subject;
- 2.2.4. the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- 2.2.5. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Travamigos Limited;
- 2.2.6. the processing is necessary for the purposes of the legitimate interests pursued by Travamigos Limited or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Special categories of personal data may only be processed if the purpose (or purposes) for processing has been identified and one of the following conditions exists, which must be documented in GDPR Auto:
- 2.3.1. the data subject has given explicit consent to the processing of personal data for one or more specified purposes;
- 2.3.2. the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Travamigos Limited or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by law or a collective agreement pursuant to law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- 2.3.3. the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- 2.3.4. the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- 2.3.5. the processing relates to personal data which are manifestly made public by the data subject;
- 2.3.6. the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- 2.3.7. the processing is necessary for reasons of substantial public interest, on the basis of law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- 2.3.8. the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of law or pursuant to contract with a health professional and subject conditions and safeguards;
- 2.3.9. the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of law
- 2.3.10. the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
3. Using Privacy Notices
Privacy notices are a crucial tool in Travamigos Limited’s efforts to comply with Data Protection Legislation. The primary aim behind privacy notices is to make data subjects aware of the reasons why their personal data is being collected, and how it will be used.
The use of privacy notices is to be considered in all circumstances in which personal data will be processed. In cases where processing is based on the data subject’s consent, then the data subject should sign a separate privacy notice and a record of this retained. In other cases where, for example, processing is based on contract, then a privacy notice should be made available to the data subject and a signed copy obtained.
In cases where personal data has been gathered from a source other than the data subject – and therefore the data subject is not aware of privacy notices – then Travamigos Limited is obliged to provide the information contained in the privacy notice within not later than the following time frames:
- 4.1.1 within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
- 4.1.2 if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
- 4.1.3 if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
However, if the clause 4.1 does not apply if
- 4.2.1 If the data subject already has the information;
- 4.2.2 If the provision of the above information proves impossible or would involve an excessive effort;
- 4.2.3 If obtaining or disclosure of personal data is expressly identified by law; or
- 4.2.4 If personal data must remain confidential subject to an obligation of professional secrecy regulated by law.
WHO WE ARE
Travamigos Limited is a mobile App and web based platform, comprising a website and associated social media channels. The services provided are for the safety, security and convenience of world travellers.
- The Data Protection Officer is Andrew Wormington
WHAT WE DO WITH PERSONAL DATA AND WHY WE DO IT
The personal data we collect and process about you is the following:
- Personal Data Set: Name, e-mail address, IP address, Date of Birth, User ID and Location
- Source of personal data: Facebook, Twitter and email App sign-up.
We will use your personal data for the following purposes:
- To protect and advise you whilst using our services.
- The legal basis on which we process your personal data are the following:
- For the performance of the contract between us.
- The legitimate interests pursued by us, or third parties, are as follows:
- To maintain and perform the services you have requested.
When you give your consent to this privacy notice, this means that we can process your personal data for the purposes identified in this privacy notice.
You may withdraw consent at any time by writing to the Data Protection Officer c\o the Travamigos Limited registered address, listed on our website.
DISCLOSURE OF YOUR PERSONAL DATA
[Travamigos Limited] will disclose your personal data to the following third parties
- Campaign Monitor (Austrailia)
- AWS: Jaws DB
- Pusher (IM system)
HOW LONG WE KEEP YOUR DATA FOR
Travamigos Limited will process your data for the duration of your App and website usage and will store your data for 3 years to protect the vital interests of our users.
As a data subject you have a number of rights under law. These are the following:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain to the appropriate authorities about this.
You can request access your data by writing to the Data Protection Officer, c/o the registered address listed on our website.
In the event that you wish to make a complaint about how your personal data is being processed by us, we recommend that you first lodge your complaint with the Data Protection Officer If you remain unsatisfied, you may pursue your complaint further by lodging a complaint with the following authority:
- The Directors of Travamigos Limited.