1.1 We hope you will enjoy using the Alba Travel (Inverness) Ltd website (our “website”) and we want to make sure your experience is as safe and useful as possible. Here you can find out how our website works, what data we collect from you, how we use it, conditions where we may disclose this data to others and how we keep it secure.
1.2 Alba Travel (Inverness) Ltd is part of The Clyde Group Ltd (SC481645) (“The Clyde Group”, “we”, “our” and “us”) and takes the issue of security and data protection very seriously and strictly adheres to guidelines published in the United Kingdom Data Protection Act of 1998 and the General Data Protection Regulation (EU) 2016/679 which is applicable from the 25th May 2018. We are data controller of any personal data that you provide us in accordance with this policy.
1.3 Any questions relating to this policy and our privacy practices should be sent to email@example.com.
2 How we collect information from you and what information we collect
2.1 We collect your personal information in the following ways:
2.1.1 you may give us information about you via our website, or by corresponding with us by e-mail or telephone. This includes information you provide when you contact us via our website, including when you report a problem with our website, or when you correspond with us for any purpose;
2.1.2 by visiting our website we may automatically collect technical information which may form personal information;
2.2 We may collect the following personal information about you where relevant:
2.2.1 name, e-mail address, address, employer and telephone number;
2.2.2 technical information including your IP address, login information, browser type and clicks on our website from your use of our website (for further information see our section on cookies below);
3 Why we need this information about you
3.1 We collect and process personal information held about you: (i) when we are required to comply with a legal obligation; and/or (ii) if the processing is for our legitimate interests or those of a third party, as noted below.
3.2 We need your information and use the information we collect about you:
3.2.1 to enable us to supply you with products and services that you have requested;
3.2.2 to help us with understanding more about how our website is used and to improve the website to ensure that content is presented in the most effective manner;
3.2.3 to be able to respond to your query;
3.2.4 [to be able to send you communications that may be of interest to you, either electronically or otherwise;] and
3.2.5 for all other purposes consistent with the proper performance of our operations.
3.3 We will only use your personal information for the purposes for which we collected it as detailed above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so, or we will seek your consent if required.
4.1 It is your choice whether you receive information such as marketing from us. If you indicated that you are interested in receiving regular information about The Clyde Group’s activities, we will send you communications either electronically or by post. In addition, we may send you direct mail that we feel may be of interest to you. We will not contact you for marketing purposes unless you have given your prior consent. If, at any time, you no longer wish to receive this information, please send a written request to firstname.lastname@example.org.
4.2 Also, all of our email marketing correspondence gives you the option to opt-out of receiving further marketing emails. Please note that you will still receive emails directly related to an enquiry you have submitted via our contact form.]
5.2 Cookies are small text files, placed on your hard disk by a web page server. They are uniquely assigned to you, and can only be read by a web server in the domain that issued the Cookie to you.
5.3 We use encrypted information gathered from Cookies to improve your online experience with The Clyde Group.
5.4 We use per session Cookies which are deleted when you leave our website. They help keep track of your progress so you don’t have to enter the same information more than once. More specifically we use the following Cookies which carry out the functions described:
5.4.1 __utma – This is a Google Analytics cookie and tracks the number of times you have visited our website.
5.4.2 __utmb and __utmc – This is another Google Analytics cookie and acts to calculate how long you have spent on our website in each session.
5.4.3 __utmz – This Google Analytics cookie tracks what search engine you have visited the website from and which search terms you used to find our website.
5.4.4 Facebook Pixel – this is an analytical tool that helps us measure the effectiveness of our advertising. For more information on our use of pixels please go to: https://www.facebook.com/business/help/651294705016616
5.5 If you wish to restrict or block the cookies which are set by our website, or indeed any other website, you can do this through your browser settings. If you chose to restrict or block any cookies, this may result in certain features of the website not being provided and accordingly you may not be able to take full advantage of the website’s features.
6 Data Security
Please be aware that the transmission of information via the internet is not always completely secure. Although we will do our best to protect your personal data, we cannot guarantee the complete security of your data transmitted to us electronically; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to restrict unauthorised access.
7 Sharing of your information
The information you provide to us will be treated by us as confidential and will be processed only by our employees. We may disclose your information to other third parties who act for us for the purposes set out in this notice or for purposes approved by you, including group companies, payment providers and marketing suppliers.
8 Transfers outside the UK and Europe
We may transfer your personal information outside the European Economic Area. If we do, you can expect a similar degree of protection in respect of your personal information.
9 How long we will keep your information
9.1 We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information), or as set out in any relevant contract we have with you.
9.2 We will generally keep your information as long as is necessary to fulfil our obligations to you after which this will be destroyed if it is no longer required for the reasons it was obtained.
10 Your rights
10.1 Under certain circumstances, by law you have the right to:
10.1.1 Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
10.1.2 Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
10.1.3 Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
10.1.4 Object to the processing of your personal information where we are relying on a legitimate interest (or a legitimate interest of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
10.1.5 Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
10.1.6 Request the transfer of your personal information to another party.
10.2 If you want to access, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact email@example.com.
10.3 You also have the right to complain to the Information Commissioner’s Office in relation to our use of your information.
PRIVACY NOTICE (APPLICANTS)
1.1 In this policy “Clyde Group” is a reference to The Clyde Group Limited. “Stena Group” is a reference to the group of companies of which The Clyde Group forms part and, where appropriate, any individual company within the Stena Group. A reference to “we” or “us” is a reference to The Clyde Group. References to “you” are references to the employee or worker covered by this policy.
1.2 “Third party” or “third parties” includes third party service providers (including contractors and designated agents) and other entities within the Stena Group.
1.3 “DCM” means The Clyde Group’s Data Compliance Manager, who can be contacted at firstname.lastname@example.org or on +(44)1414275100.
2.1 This privacy notice is issued under and in terms of the General Data Protection Regulation (“GDPR”) and applies to all individuals applying for roles with us, whether as an employee, via any contractor relationship or otherwise.
2.2 Please note that the relevant Data Protection Policy (or any similar policy or notice which may apply to our contractors from time to time) will apply, as appropriate, should your application be successful and you take up employment with, or are engaged by us.
2.3 You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues.
3 Core responsibilities of The Clyde Group as “Data Controller”
3.1 As a “Data Controller” we are responsible for deciding how we hold and use personal data (sometimes referenced as personal information) about you. We are committed to protecting the privacy and security of personal data. This notice is being provided to you so that you are aware of our approach to the management of personal data.
3.2 This notice describes how we collect and use personal data in accordance with the GDPR and it also contains obligations on you.
3.3 We have, in advance of issuing this notice, reviewed the technical and other measures adopted by us to ensure compliance with data privacy principles.
4 Acknowledgement of Notice
We require all individuals applying for roles with us to read and act in accordance with this notice.
The DCM is ultimately responsible for the matters covered in this notice.
We will make sure we have in place appropriate measures to ensure compliance with the GDPR and this privacy notice, and where appropriate we will carry out and document risk assessments.
7 Data security
7.1 We have put in place measures to protect the security of your personal information. These prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees and third parties who have a business need to know.
7.2 Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
8 Record Keeping
Responsibility for record keeping relative to our data processing activities is the responsibility of the DCM.
9 Core Principles
The law says that the personal information we hold about you must be:
9.1 Used lawfully, fairly and in a transparent way.
9.2 Collected only for legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
9.3 Relevant to the purposes we have told you about and limited only to those purposes.
9.4 Accurate and kept up to date.
9.5 Kept only for as long as is necessary for the purposes we have told you about.
9.6 Kept securely.
10 Personal Data
10.1 Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
10.2 There are “special categories” of more sensitive personal data which require a higher level of protection.
10.3 The following lists the data we will hold, store and collect.
10.3.1 Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
10.3.2 Recruitment information (including copies of right to work documentation, references and other information included in a CV, application form or cover letter or provided as part of the application or interview process);
10.3.3 Identification documents (including passports and driving licences);
10.3.4 Employment records (including job titles, work history and location, working hours, training records and professional memberships); and
10.4 We may also collect, store and use the following “special categories” of more sensitive personal information:
10.4.1 Information about your race or ethnicity, religious beliefs or sexual orientation;
10.4.2 Information about your health, including any medical condition, health and sickness records; and
10.4.3 Information about criminal convictions and offences.
11 How is your personal information collected?
We collect personal information through the application process directly from you or from publicly available information. We may sometimes collect additional information from third parties including an employment agency, background check provider, former employer, named referee or from credit reference agencies.
12 How we will use information about you?
12.1 We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
12.1.1 Where we need to comply with a legal obligation; or
12.1.2 Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
12.2 In particular, the situations in which we may process your personal information are as follows:
12.2.1 Making a decision about your recruitment or appointment and the terms of any offer;
12.2.2 Checking you are legally entitled to work in the UK;
12.2.3 Business management and planning, including accounting and auditing;
12.2.4 Dealing with legal disputes involving you; and
12.2.5 Prevention and detection of fraud or other criminal offences.
12.3 Some of the above grounds for processing will overlap and there may be several grounds which justify our processing of your personal information.
13 If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to progress your application.
14 Change of purpose
14.1 We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
14.2 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
15 How we use particularly sensitive personal information
15.1 “Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
15.1.1 In limited circumstances, with your explicit written consent;
15.1.2 Where we need to carry out our legal obligations;
15.1.3 Where it is needed in the public interest, such as for equal opportunities monitoring; or
15.1.4 Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.
15.2 Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
15.3 We will use your particularly sensitive personal information in the following ways:
15.3.1 We will use information about your race or ethnicity, religious beliefs or sexual orientation in order to ensure meaningful equal opportunities monitoring and reporting;
15.3.2 We will use information about your physical or mental health, or disability status, to address any possible obligation of adjustment under the Equality Act 2010 which may arise during the application process;
16 Information about criminal convictions
16.1 Where appropriate, we will collect information about your criminal convictions history if we would like to offer you a role (conditional on checks and any other conditions, such as references, being satisfactory). We are entitled to carry out a criminal record check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular:
16.1.1 Where we are legally required to carry out criminal record checks for those carrying out certain roles; and
16.1.2 Certain roles which you may apply for require a high degree of trust and integrity and so, where appropriate, we would like to ask you to seek a basic disclosure of your criminal records history as part of your application.
16.2 We have in place appropriate safeguards which we are required by law to maintain when processing such data.
17 Data sharing
17.1 We may have to share your data with third parties,
17.2 We require third parties to respect the security of your data and to treat it in accordance with the law.
17.3 We may transfer your personal information outside the European Economic Area. If we do, you can expect a similar degree of protection in respect of your personal information.
18 Why might WE share YOUR personal information with third parties?
We will share your personal information with third parties where required by law, where it is necessary to administer the application process or where we have another legitimate interest in doing so.
19 Data transfer to other entities within the stena Group
We will transfer data to other companies within the Stena Group where there is a legitimate business interest to do so. This may be as part of our regular reporting activities on company, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data or where required in accordance with the application process.
20 How secure is your information with third party service providers and other entities in our group?
All third parties are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow third-parties to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
21 Transferring information outside the EUROPEAN ECONOMIC AREA (“EEA”)
21.1 We will transfer the personal information we collect about you to or elsewhere if we have a legitimate business reason to do so.
21.2 To ensure that your personal information does receive an adequate level of protection we have put in place a contract containing model contractual clauses as an appropriate measure to ensure that your personal information is treated in a way that is consistent with, and which respects, the EU and UK laws on data protection.
22 Data breaches
22.1 As a Data Controller, we have certain obligations under the GDPR to notify the ICO in the event of the loss or unauthorised access, disclosure or acquisition of the personal information we hold (“Data Breach”).
22.2 If you know or suspect that a Data Breach has occurred during the application process, please contact the DCM immediately and follow their instructions. You should preserve all evidence relating to the potential Data Breach.
23 How long will we use your information for?
23.1 We will only retain your personal information for as long as is necessary in order to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
23.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
23.3 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
23.4 Our Retention Policy can be found here.
24 Your rights in connection with personal information
24.1 Under certain circumstances, by law you have the right to:
24.1.1 Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
24.1.2 Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
24.1.3 Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
24.1.4 Object to the processing of your personal information where we are relying on a legitimate interest (or a legitimate interest of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
24.1.5 Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
24.1.6 Request the transfer of your personal information to another party.
24.2 If you want to access, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact the DCM in writing.
24.3 You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
24.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
25 Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the DCM. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
26 Your responsibilities
26.1 You are responsible for helping the DCM keep your personal data up to date. You should let the DCM know if personal information you have provided changes during the application process.
26.2 If at any stage of the application process you are supplied with personal data relative to others this must not be disclosed inside or outside The Clyde Group unless you have been authorised to do so.
26.3 If you have any questions, please contact the DCM.