Menu

Data Protection Policy

1. General

1.1 This Policy
The aim of this policy is to set forth the manner in which Travamigos Limited will strive to ensure compliance with the General Data Protection Regulation 2016, as well as local legislation applicable to data protection (collectively referred to as “Data Protection Legislation”). The aim of Data Protection Legislation is to protect the rights and freedoms of natural persons (excluding, therefore, companies and similar legal persons) and to ensure that their personal data is not processed without their knowledge and, whenever possible, that it is processed with their consent.

Schedule 1 to this policy explains a number of commonly used terms which are crucial to a proper and full understanding of the scope of Data Protection Legislation. Stakeholders are urged to familiarize themselves with these terms.

1.2 Application of Data Protection Legislation and this policy
Data Protection Legislation applies to the processing of personal data wholly or partly by automated means (e.g. by computer) and to the processing other than by automated means of personal data (e.g. paper records) that form part of a filing system or are intended to form part of a filing system. Personal data which does not fall within these parameters is therefore excluded from the scope of Data Protection Legislation and, therefore, outside the scope of this policy and other policies adopted by Travamigos Limited, which are of relevance to Data Protection.

1.3 Review of policy
Travamigos Limited is committed to reviewing this policy, as well as other policies related to Data Protection Legislation, at least once every calendar year, with a view to ensuring that they adequately cater for Travamigos Limited’s needs. Other events, such as legislative changes or court judgements, may lead to revisions of this policy. It is the responsibility of the Data Protection Officer to initiate reviews as required in accordance with this policy. Policy changes will be subject to acceptance by the Board of Directors of Travamigos Limited.

1.4 Availability of Policy
This policy, as well as other policies related to Data Protection, are not restricted documents and shall be made available to all persons employed by Travamigos Limited. Indeed, employees of Travamigos Limited are expected to be familiar with its contents, and [Data Protection Officer] is to promote awareness of these policies. They may, at the discretion of the Data Protection Officer, be made available to persons outside of Travamigos Limited, such as subcontractors and suppliers.

2. Commitment to policy

2.1
Travamigos Limited is committed to compliance with Data Protection Legislation, and the protection of the rights and freedoms of individuals whose information Travamigos Limited collects and processes in accordance with Data Protection Legislation. The aim of this document is to outline the manner in which this will be done. Other documents regulate the manner in which compliance with certain specific aspects of Data Protection Legislation will be achieved. A list of all documents connected to or relevant to compliance with Data Protection Legislation is set forth in Schedule 2 attached to this policy. This Schedule may be updated or amended from time to time. It is the responsibility of the Data Protection Officer to ensure that this Schedule is updated as required to reflect policies in force at any particular time.

2.2
This policy, as well as the policies listed in Schedule 2 of this policy, apply to the processing of personal data by Travamigos Limited. Personal data includes data held by Travamigos Limited on customers, employees, and suppliers.

2.3
For the purpose of facilitating compliance with Data Protection Legislation, Travamigos Limited uses GDPR Auto. This software is to serve as the central management tool for the management of personal data within Travamigos Limited. Access to GDPR Auto shall be limited to the following persons:

Additional access to GDPR Auto may be granted by the Data Protection Officer and a record of access having been granted shall be retained.

2.4
The Data Protection Officer shall be responsible for reviewing, at least on an annual basis, the register of processing contained within GDPR Auto for the purposes of ensuring that it correctly and comprehensibly maps the processing of personal data undertaken from time to time by Travamigos Limited.

2.5
This policy applies to all employees of Travamigos Limited. A breach of this policy will be taken seriously, and may constitute grounds for the issuing of a warning or, in certain cases, grounds for dismissal. Employees should be aware that Data Protection Legislation imposes, in certain instances, criminal sanctions for breaches.

2.6
In cases where Travamigos Limited entrusts third parties with the processing of personal data, appropriate contractual arrangements must be in place to ensure that (i) the third party adheres to confidentiality obligations; (ii) requires the third party to comply with Data Protection Legislation; and (iii) allows Travamigos Limited the right to audit the third party to ensure such compliance. The Data Protection Officer shall be responsible for effectively communicating this requirement to Travamigos Limited management as and when required.

3. Responsibility for compliance

3.1
Responsibility for compliance with Data Protection Legislation rests, ultimately, with the Board of Directors of Travamigos Limited. However, the Board of Directors exercises its authority through, and has delegated responsibility to their Data Protection Officer. This notwithstanding, the management of Travamigos Limited is expected to play an active role in ensuring compliance with Data Protection Legislation and is expected to be conversant with the essential requirements emerging from it. Management is expected to work hand in hand with the person or persons responsible for compliance with Data Protection Legislation, including The Data Protection Officer.

3.2
The person delegated with primary responsibility for promoting compliance with Data Protection Legislation shall be the Data Protection Officer, who shall respond directly to the Board of Directors.

3.3
The Data Protection Officer shall be responsible, on a day-to-day basis, for the following:

3.4
From time to time Travamigos Limited shall organise internal or external training courses for employees. Employees are expected to attend such training as and when requested.

4. Fundamental Principles of Data Protection

Data Protection Legislation provides that the processing of personal data is to be carried out in compliance with a number of principles. Travamigos Limited is committed to ensuring that it complies fully with these principles. The principles are listed and explained below. Each of the principles is of equal importance; no principle takes priority over the other.

4.1 Principle 1: Personal data must be processed lawfully, fairly and transparently
Lawfulness: This means that Travamigos Limited must ensure that a lawful basis for processing exists, for example that the consent of the data subject has been obtained, the processing is required for the purposes of fulfilling contractual obligations, etc. This ensures that data is processed lawfully. GDPR Auto is to be utilised for the purposes of recording the lawful basis of processing.

Fairness: This means that Travamigos Limited has to make certain information, as detailed further in this policy, available to its data subjects.

Transparency: This means that the data subject must know why his data is being processed. It also means that Travamigos Limited is to provide data subjects with certain information. When dealing with data subjects, Travamigos Limited will communicate with data subjects using language that is easy to understand, is clear, and is free of legal jargon. Travamigos Limited will strive to use privacy notices that are detailed and specific, and which comply with the principle of transparency. A sample privacy notice for use by Travamigos Limited is included in this policy. This notice will require customisation depending on its contextual use, and for this purpose users of the privacy notice are required to liaise with the Data Protection Officer.

Information which must be provided to data subjects includes the following:

4.2 Principle 2: Personal data can only be collected for specific, explicit and legitimate purposes
When obtaining personal data, the purpose for which the data is obtained must be specified. Personal data which is obtained for one purpose must not, according to Data Protection Legislation, be used for another purpose that differs from the purpose for which it was originally obtained.

Schedule 3 of this policy sets out the processes to be followed for the purposes of ensuring compliance with this principle.

4.3 Principle 3: Personal data must be adequate, relevant and limited to what is necessary for processing
This means that Travamigos Limited should not collect personal data which is not necessary for the purposes for which it is being obtained. Travamigos Limited is aware that holding personal data, in effect, constitutes a risk and is therefore fully committed to ensuring compliance with this principle.

Compliance with this principle requires both planning at the conceptual stage of any project entailing the collection of personal data, and ongoing review. It is the responsibility of persons driving projects to ensure that this principle is kept at the forefront of any project which will require the collection of personal data. Liaison with the Data Protection Officer is required in order to ensure that data collected does not exceed what is strictly required. The Data Protection Officer is required to review data collection sources on at least an annual basis to ensure compliance with this principle.

4.4 Principle 4: Personal data must be accurate and kept up to date
This means that personal data held must be subjected to periodic review and updated as necessary. GDPR Auto is to be utilized for the purposes of periodically checking with data subjects that data held is accurate and up to date. Data which is not accurate should – if not updated – be removed and securely destroyed. The Data Protection Officer is responsible for driving compliance with this principle. The Data Protection Officer is to ensure that appropriate procedures are in place to ensure that personal data is accurate and up to date. These procedures may vary depending on the nature of the personal data at issue, and other factors.

Data subjects have a right to request that data held by Travamigos Limited about them be rectified to ensure that it is accurate and up to date. These requests must be acted upon within one month in accordance with the policy applicable to Subject Access Requests. The Data Protection Officer is responsible for oversight of this process using, where applicable, the functionality available in GDPR Auto.

The Data Protection Officer is to ensure that in cases where third parties have been given data which is not accurate or is not up to date, then these organisations will be informed of this and, if accurate and up to date information is obtained, will be passed on this information.

4.5 Principle 5: Personal data should be stored in a way that the data subject can be identified only as long as is necessary for processing.
This principle requires Travamigos Limited to ensure that personal data is not kept longer than is necessary. When the purpose for which personal data is being processed is exhausted, then personal data is to be pseudoaonymized, anoymised or deleted using the functionality within GDPR Auto.

This principle also requires that data is not to be retained beyond what is strictly necessary. Retention periods for different types of data differ, and are established in a separate retention policy. GDPR Auto is configured to raise alerts on approaching expiry of retention periods for personal data. It is the duty of the Data Protection Officer to then determine – liaising with other members of staff as necessary – whether deletion or anonymization (using GDPR Auto) is required, or whether there exists a circumstance justifying the retention of personal data beyond its retention period (e.g. the existence or threat of litigation, etc). Any such circumstances are to be recorded by the Data Protection Officer.

4.6 Principle 6: Personal data must be processed in a secure manner
This means that the Travamigos Limited is obliged to ensure that appropriate technical (e.g. password protection and firewalls) and organisation measures (training of staff and rules on use of personal devices) are in place to ensure that personal data is safe and secure. The Data Protection Officer will carry out a risk assessment taking into account all the circumstances of Travamigos Limited’s processing operations. All company staff are required to follow policies in place to ensure compliance with this principle.

4.7 Principle 7: Accountability
This principle requires that Travamigos Limited not only complies with the principle above, but is able to demonstrate that it does so. Compliance will be demonstrated through the records generated by GDPR Auto, the policies adopted by Travamigos Limited, as well as documents generated as a result of the policies.

5. Rights created by Data Protection Legislation

5.1
Data Protection Legislation grants data subjects certain rights which Travamigos Limited is obliged to uphold. These rights are a critical cornerstone of Data Protection Legislation and Travamigos Limited is committed to upholding them in full.

5.2
GDPR Auto includes the necessary functionality to assist Travamigos Limited in fulfilling its obligations to ensure that data subjects can exercise their rights fully and in full conformity with Data Protection Legislation.

6. Consent as a basis for processing Personal Data

6.1
In many instances, Travamigos Limited processes the personal data of data subjects on the basis of their consent. In order for consent to provide a proper legal basis for processing it must meet ALL of the following criteria:

6.2
In order for consent to form a proper basis of processing, it is also necessary to ensure that the data subject is fully aware of the intended processing that will happen with his data, and that he has agreed to this. Consent which is obtained as a result of pressure exerted on the data subject, or obtained in circumstances where the data subject will suffer some adverse effect if consent is not granted, is not valid consent.

6.3
Data subjects can withdraw their consent at any time.

6.4
GDPR Auto can be used, where necessary, for the purposes of ensuring that valid consent is obtained and, furthermore, for the purposes of ensuring that this consent is properly recorded. Other documents to obtain consent can also be used, provided these are recorded in GDPR Auto.

6.5
For special categories of data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists. Again, GDPR Auto can be used for this purpose. Other documents to obtain consent can also be used, provided these are recorded in GDPR Auto.

6.6
Special considerations apply in cases where Travamigos Limited processes data of persons under the age of 16 years for the provision of online services to these persons. In these cases, the consent the parents or legal guardians of these persons must also be obtained.

7. Data Security and Safety

7.1
All employees of Travamigos Limited have an important role to fulfil in order to ensure that personal data is kept safe. In particular, personal data should not be disclosed to third parties without prior consultation with the Data Protection Officer.

7.2
Employees are required to follow such policies which may be in force from time to time regulating data security and safety.

8. Retention and disposal of data

8.1
Travamigos Limited has in place policies which regulate the duration for which personal data is to be kept. These are to be implemented strictly, with the assistance of GDPR Auto. In the event of personal data being kept beyond its retention period, this must be justified and reason justifying the extended retention recorded.

8.2
Personal data may only be stored for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

8.3
Personal data, when disposed, must be disposed of securely.

9. International Data transfers

9.1
Data Protection Legislation regulates the transfer of data to countries outside of the European Economic Area.

9.2
The transfer of personal data outside of the European Economic Area is prohibited unless one of the following conditions applies:

9.4
Personal Data transfers of the nature set forth in this paragraph are only to happen following consultation with the Data Protection Officer.

Schedule 1 – Definitions

9.6 Article 4 definitions
Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data subject – any living individual who is the subject of personal data held by an organisation.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior.

Schedule 3 – Privacy Policy

1. Purpose and Ownership

1.1.
The aim of this Schedule is to establish procedures which will assist Travamigos Limited to ensure compliance with the principle that Personal Data can only be collected for specific, explicit and legitimate purposes.

1.2.
The Data Protection Officer is responsible for pro-actively promoting compliance with this procedure. However all employees are obliged to be conversant with it and to apply it in practice. It applies in all circumstances in which Travamigos Limited collects personal data.

1.3.
The Data Protection Officer is responsible for ensuring that privacy notices are used as required and in accordance with this policy.

2. Use of GDPR Auto

2.1.
The Data Protection Officer is responsible for ensuring that the legal basis for processing personal data and special categories of personal data is clearly identified and documented using GDPR Auto.

2.2.
Personal data may only be processed if the purpose (or purposes) for processing has been identified and one of the following conditions exists, which must be documented in GDPR Auto:

2.3.
Special categories of personal data may only be processed if the purpose (or purposes) for processing has been identified and one of the following conditions exists, which must be documented in GDPR Auto:

3. Using Privacy Notices

3.1.
Privacy notices are a crucial tool in Travamigos Limited’s efforts to comply with Data Protection Legislation. The primary aim behind privacy notices is to make data subjects aware of the reasons why their personal data is being collected, and how it will be used.

3.2.
An outline privacy notice is attached to this Schedule as Annex A. It is the responsibility of project drivers to ensure that projects entailing the processing of data make use of a privacy notice. Care is to be taken to ensure that the privacy notice is tailor-completed depending on the prevailing circumstances. Annex B contains a privacy policy for use on [Travamigos Limited’s] website.

3.3.
The use of privacy notices is to be considered in all circumstances in which personal data will be processed. In cases where processing is based on the data subject’s consent, then the data subject should sign a separate privacy notice and a record of this retained. In other cases where, for example, processing is based on contract, then a privacy notice should be made available to the data subject and a signed copy obtained.

4.1
In cases where personal data has been gathered from a source other than the data subject – and therefore the data subject is not aware of privacy notices – then Travamigos Limited is obliged to provide the information contained in the privacy notice within not later than the following time frames:

4.2
However, if the clause 4.1 does not apply if

Privacy Notice

WHO WE ARE
Travamigos Limited is a mobile App and web based platform, comprising a website and associated social media channels. The services provided are for the safety, security and convenience of world travellers.

WHAT WE DO WITH PERSONAL DATA AND WHY WE DO IT
The personal data we collect and process about you is the following:

We will use your personal data for the following purposes:

YOUR CONSENT
When you give your consent to this privacy notice, this means that we can process your personal data for the purposes identified in this privacy notice.

You may withdraw consent at any time by writing to the Data Protection Officer c\o the Travamigos Limited registered address, listed on our website.

DISCLOSURE OF YOUR PERSONAL DATA
[Travamigos Limited] will disclose your personal data to the following third parties

HOW LONG WE KEEP YOUR DATA FOR
Travamigos Limited will process your data for the duration of your App and website usage and will store your data for 3 years to protect the vital interests of our users.

YOUR RIGHTS
As a data subject you have a number of rights under law. These are the following:

You can request access your data by writing to the Data Protection Officer, c/o the registered address listed on our website.

COMPLAINTS
In the event that you wish to make a complaint about how your personal data is being processed by us, we recommend that you first lodge your complaint with the Data Protection Officer If you remain unsatisfied, you may pursue your complaint further by lodging a complaint with the following authority:

Bringing people together

Download the Travamigos app and join our ever-growing community of passionate travellers. Find lasting friendships, discover new adventures and create unforgettable memories.

Download Travamigos from Google Play Store Coming Soon