BAXTER HOARE TRAVEL
This document has been created following the guidance procedures provided by the Information Commissioner’s Office (ICO) and in relation to the statutory requirements with regards our obligations to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Baxter Hoare Travel is registered as a Data Controller with the ICO under registration reference Z8033825.
Baxter Hoare Travel is committed to safeguarding the privacy of our customers, be it through direct communication or via our public website. Any and all data submitted to Baxter Hoare Travel will be held in accordance with the 1998 Data Protection Act and held in secure domains at all times.
Baxter Hoare Travel’s principal form of business is business travel for corporate customers; Baxter Hoare Travel also offers event travel services for corporate customers and leisure travel services for private individuals and their families.
Our registered office address is 61 Great Dover Street, London SE1 4YF and is the address to which all formal communication should be addressed.
Our website address is www.baxterhoare.com.
Our principal contact number is 020 7403 5566
Our Managing Director is Adam White to whom all formal communication and relevant enquiries should be addressed.
DATA PROVIDED VIA CONTRACTUAL CLIENT RELATIONSHIPS
Baxter Hoare Travel’s terms and conditions, explicitly state that It is the responsibility of the client to seek authorisation for Baxter Hoare Travel to use the personal data to fulfil its obligations in respect of the scope of works and unless otherwise instructed, Baxter Hoare Travel will assume this permission has been sought and given if an authorised travel request is received.
Baxter Hoare Travel will only ever transfer minimal client data to any remote processor. Furthermore Baxter Hoare Travel warrants both to the client (and to its employees submitting personal data) that it shall:
Furthermore, Baxter Hoare Travel agrees that, outside of the tools used to fulfil the services contracted with us, it shall not engage any third party to process of the client’s personal data unless the client has provided express written consent AND
Each contractual client acknowledges and agrees from the outset that in order to fulfil the services within any given agreement, it is not possible to ensure that data is wholly stored within the EEA or any single geographical designated area as there is a regulatory requirement to submit information to the principal in order to fulfil travel booking requirements. Each client also agrees that the Baxter Hoare Travel’s GDS operating system – Galileo UK (Travelport Worldwide Ltd) – requires data storage in the USA. (Travelport Worldwide Ltd has entered into EU Standard model clauses with and between Travelport UK – the entity which provides access to the Galileo UK system for Baxter Hoare Travel – to provide the required legal basis for the transfer of personal data outside the European Economic Area.)
Baxter Hoare Travel shall not transfer personal information or data outside the European Economic Area without the client’s prior written consent unless Baxter Hoare Travel and the recipients of such personal data have entered into the standard contractual clauses (in relation to controller-to-processor transfers) annexed to the Commission Decision of February 2010 on standard contractual clauses for transfer of personal data to processors established in third countries (2010/87/EU).
Baxter Hoare Travel has and will continue to take all reasonable steps, in accordance with all relevant legal responsibilities, to ensure the reliability of any of its employees which will have access to the personal data of the client. If Baxter Hoare Travel receives any complaint, notice, request (including any subject access request) or communication which relates directly or indirectly to the processing of the personal data or to either party’s compliance with Data Protection Laws, we shall immediately notify the client (deemed to be acting thereafter on behalf of its employee) in writing and Baxter Hoare Travel shall provide the client with all reasonable assistance in relation to the same.
DATA RETENTION POLICY GUIDING PRINCIPLES
Baxter Hoare Travel has and maintains two registers of data held:
These documents are updated at least once a year as will testify the revision history. The owner of these documents is the acting Data Protection Officer (DPO).
Differing categories of data carry varying retention periods, the guiding principal being that no data is held longer than necessary for the needs of the business or to cover legal requirements.
Baxter Hoare Travel may collect, store and use the following kinds of personal data:
a) information about your computer and about your visits to and use of our services including our website and client facing technology
b) information relating to any transactions carried out in order us to fulfil requests in association with our defined scope of works
c) information that you provide to us for the purpose of registering your personal profile and for access to our technology
d) any other information that you choose to send to us which is pertinent to the scope of works for which we are contracted or for the fulfilment of personal travel requests – this information may extend in this instance to family members
In addition to the disclosures outlined within this policy we may disclose information about you:
a) to the extent that we are required to do so by law
b) in connection with any legal proceedings or prospective legal proceedings
c) in order to establish, exercise or defend our legal rights – including providing information to others for the purposes of fraud prevention and reducing credit risk
The right to be informed
As Data Owner Baxter Hoare Travel has an obligation under GDPR to set out:
We may process the information included in your traveller profile form (“profile data“). The source of the profile data is either you or your employer. The profile data may include your name, address, telephone numbers, email address, gender, date of birth, title, passport details, travel preferences, loyalty cards, and payment information. The profile data may be processed for providing our services. The legal basis for this processing is the performance of a contract between your employer and us.
We may process your personal data that are provided in the course of the use of our services (“service data“). The service data may include your name, address, telephone numbers, email address, gender, date of birth, title, passport details, travel preferences, loyalty cards, and payment information. The source of the service data is either you or your employer. The service data may be processed for the purpose of providing our services and communicating with you. The legal basis for this processing is the performance of a contract between your employer and us.
We may process information relating to transactions, including purchases of goods and services, that you enter into with us and/or through our website (“transaction data“). The transaction data may include your contact details, your card details and the transaction details. The transaction data may be processed for the purpose of supplying the purchased goods and services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and our legitimate interests, namely our interest in the proper administration of our website and business.
We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters (“notification data“). The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is consent.
We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
In addition to the specific purposes for which we may process your personal data set out in this section, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
The right of access and rectification
Baxter Hoare Travel respects the right of access and rectification of personal data held, in most cases this will be “profile data” and/or “service data“. Business Travellers can request their personal data be made available, and changed if needed by making a request in writing (ideally electronically so that a data trail is created). Personal data will be despatched by secure e-mail directly to the requestor.
The right to erasure
Baxter Hoare Travel respects the right to the erasure of personal data without undue delay in the following circumstances:
There are however exclusions of the right to erasure. The general exclusions include where processing is necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
The right to restrict processing
For Corporate Entities: Baxter Hoare Travel is an agent of the customer and will have gathered all necessary permissions prior to contract commencement and provision of their employee data. Any objection to processing data needs to be raised with the contractor’s contact –typically the travel manager or nominated contact – who will liaise with their local HR department.
The right to restriction does need to meet the GDPR requirements and this will be assessed as part of that company’s plan to comply with regulation. If Baxter Hoare Travel customers i.e. the business entity and not the traveller, has established that processing should be restricted, the profile will be either deleted or “frozen” such that no more travel can be booked for that individual. Profiles in Galileo (a third-party GDS) will be disabled.
The right to data portability
For Corporate Entities: individual requests from travellers will not be accepted. The customer is the contracted corporate entity. All Profile data will be deleted after a customer has transitioned to a new TMC (Travel Management Company) and all issues are settled.
Prior to that, and typically as part of a hand-over, profiles can be sent over secure means. There are however exceptions such as credit card details as well as passport details unless explicit permission and indemnification for any subsequent data loss or quality is provided.
The right not to be subject to automated decision-making
At time of creation of this document, Baxter Hoare Travel does not utilise automated decision making in any of its processes. Should this change, Baxter Hoare Travel will always provide an opt-out capability and will also review any objections within the framework provided in GDPR
SUBJECT ACCESS REQUESTS
Such requests should be in writing and preferably electronically i.e. email or scan of PDF request. Requests will be dealt with within 30 days of receipt and will be securely presented in a meaningful format dictated by Baxter Hoare Travel.
Baxter Hoare Travel is PCI-DSS compliant and has a documented incident management process. Guidance on when and how to report a data breach are documented by the ICO – Baxter Hoare Travel is committed and capable of meeting these.
DATA PROTECTION BY DESIGN
Baxter Hoare Travel is committed to ensuring that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle.
For example when:
In addition, Baxter Hoare Travel is PCI-DSS certified, this standard provides best practice for data protection. More details are available https://www.pcisecuritystandards.org/
Baxter Hoare Travel is not responsible for the privacy policies or practices of third party websites which may be entered directly from within our various client facing technologies.
Baxter Hoare Travel reserves the right to update this policy from time to time by publishing a new version on our website.
Baxter Hoare Travel
1st May 2018
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.