A key GDPR stipulation is that we must assign a lawful basis for our processing activities. REST has identified a 'legitimate interest' for when processing information from accommodation providers.
What data do we collect?
In order to deliver the services that we do, we need to collect personal data. Depending on which of our services you use, we may need to collect:
- Name, address and contact details such as telephone number and email address
- Bank details, only where required
- Any special access requests that could affect any site visits that are made
How we collect data
Your data will either be provided to us by:
- You, when initiating a contractual relationship with us
- Third parties that you have contracts with where we have been appointed with carrying out the work
- Collecting data while carrying out work as part of existing contracts
How we secure data
We implement a set of strict information security policies and procedures to protect your data both in transit and at rest. These include:
- All data communications are secured ensuring that all the data we send or receive is protected.
- All data is stored in our highly secure databases
- We implement strict security controls around accessing the data implementing the principle of least privilege.
As part of our day to day operations we may need to pass your personal data to our third party suppliers. This is only done to support the contract that we have with you. Your data will not be used for any other purpose without your express consent.
Your data will not be used by our third party suppliers for marketing purposes.
Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your personal data.
Subject Access Request
If you do exercise your right to raise a subject access request we have put processes in place that will tell you:
- whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected directly from you
- to whom your data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers
- for how long your personal data is stored (or how that period is decided)
- your rights to rectification or erasure of data, or to restrict or object to processing
- your right to complain to the Information Commissioner if you think REST has failed to comply with your data protection rights
- whether or not REST carries out automated decision-making and if so, the logic involved in any such decision-making
If REST discovers that there has been a breach of personal data that poses a risk to an individual’s rights and freedoms, we will report it to the Information Commissioner within the guidelines as set out within the GDPR. The organisation will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
Some of the processing that the REST carries out may result in risks to privacy. Where processing would result in a high risk to an individual's rights and freedoms, we will carry out a data protection impact assessment to determine the necessity and proportionality of processing and where appropriate, we will refer this information to the Information Commissioner as per the guidelines in the GDPR. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.