Cresta World Travel Limited
This statement’s purpose is to inform users of our services about what personal information is collected and processed. To confirm how long the data is retained, who it is shared with and the users rights.
Lawful Grounds For Processing Personal Data
Under the EU General Data Protection Regulation (GDPR) there are six lawful bases for processing personal data. These are detailed as follows:
- Consent – the individual has given clear consent for you to process their personal data for a specific purpose
- Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal Obligation – the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital Interests – the processing is necessary to protect someone’s life
- Public Task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate Interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Cresta World Travel acts as both a business and leisure travel agency and therefore collects necessary personal data from our customers in order to process and perform the contract of arranging and fulfilment of holiday travel and business travel requirements. Any data collected will be held securely and in accordance with the EU General Data Protection Regulations 2016/679.
Cresta has reviewed the six legal grounds for legal grounds for processing personal data and we have chosen the following as the most appropriate in the following scenarios: - Consent – Cresta will only process the personal data of leisure travel contacts for sales and marketing purposes where we have explicit consent to do so.
- Legal obligation (as above) for both leisure and business clients. - Contract - Cresta will process personal data under the legal grounds of ‘contract’ when someone enters into a contract regarding a travel booking or holiday booking of any kind, to enable us to deliver our obligations under that contract.
- Legitimate interests – for the sales and marketing purposes for business travel contacts we will not be seeking consent but will market to you under the grounds of legitimate interests. Cresta business travel targets will be the type of contacts we believe to have a legitimate interest in business travel services. Cresta will determine this through the type of businesses we target and the job roles of the people within those businesses. Cresta has carried out a Legitimate Interest Assessment (LIA) as advised by the ICO. Based upon that assessment it is deemed that the rights and freedoms of the data subjects we are targeting would not be overridden and that in no way would a data subject be caused harm as a result of us processing their data in this way.
Passenger data will not be passed on by us to third parties for marketing purposes, and apart from information required for legal compliance, will be deleted from our systems at an appropriate time after travel is completed.
Third party data controllers include airlines, hotels, car hire and some other ground suppliers reservation systems, all of which will securely hold data in accordance with GDPR and will be used only to provide the services requested.
How long do we hold your data?
Client Data: we hold client contract data, correspondence and contact details on our CRM system through the period of the contract, and after the contract ends for at least 7 years. The reasons for retaining the data are so that we have accurate records of the business relationship should the client decide to return to Cresta for further travel services in the future and for marketing purposes under the grounds of ‘legitimate interests’ to keep the client / former client informed of service developments in our business. You can make a request to exercise your rights under GDPR at any time by emailing firstname.lastname@example.org including your right to restrict or object to further processing.
Prospec/Target Data: For prospective clients and organisations we wish to do business with, we hold contact details for marketing purposes under the legal basis of GDPR of ‘legitimate interests’ – we are continually adding, updating and keeping this data accurate, and once added to our CRM system we keep this data indefinitely, unless the data subject asks for it to be obfuscated or removed in line with their rights under GDPR.
The Information we collect:-
- Passenger names
- On occasions required by the authorities of the visiting country or airlines we may need to advise an emergency contact number.
- Date of birth
- Passport details
- Place of residence
- Contact details
- Special requirements: health data on disability or other medical conditions, which have an impact on fulfilment of the travel arrangement.
- Dietary restrictions (which may disclose your religious beliefs)
As some of this data may be considered as sensitive personal data, clear and explicit consent will be sought from passengers before we process this data. We will make sure all members of the travelling party are aware and agree to this policy and have consented.
Your rights: There are 8 rights under GDPR regarding your personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
It is important to understand the difference between a right to object and the right to erasure. If you make a request for deletion, we will remove any data we hold about you from the Cresta CRM system. If you are removed from our system, and you are a business contact, there is a risk that your data may be processed again in the future if your details are re-added to our CRM system by a member of our marketing or sales team who genuinely believes that your organisation would have a legitimate interest in our business travel services. If you do not wish for us to contact you again about our services, we would recommend you ‘request to object’ or to ‘restrict processing’ rather than a request ‘deletion’, as these alternative bases will ensure that your details are no longer processed. The option however is yours, and whichever option you choose we will process your request within 30 days. If you wish to exercise any of your personal data rights under GDPR or you have any questions or concerns about how we are processing your data please contact us at email@example.com.
Transferring Data outside of the EU
As part of the services offered through this website, the information which is provided may need to be transferred. This may happen if any of our servers are from time to time located in a country outside of the EU. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of safeguarding that your privacy rights continue to be protected as outlined in this Policy.
When using our website, every effort is made to ensure that you are securely transmitting data, using a secure SSL encryption. When you are on a secure page, a lock icon will appear in your web browser, and the URL will begin with https:// instead of http://.
Please note that in order for us to provide you with optimum service, we use ‘Cookies’ on our website.
Linking to other sites from our website:
Our website contains links to other sites and Cresta World Travel is not responsible for the privacy practices within any of these other sites. Users should be aware of this when leaving our site and we would encourage users to read the privacy statements on other sites visited.
All calls may be recorded for training and quality assurance.
If you wish to exercise any of your personal data rights or you have any questions or concerns about how we are processing your data please contact us at firstname.lastname@example.org.
Policy updated May 2018
Cresta Business Travel
Cresta World Travel Limited, Cresta House, 32, Victoria Street, Altrincham, Cheshire, WA14 1ET
Registered in England No. 2662445. VAT No. 603 3764 59