Waverley privacy and fair processing notice
Waverley Excursions Limited, a company registered in Scotland with company number SC070945 and with its registered office at Waverley Terminal, 36 Lancefield Quay, Glasgow G3 8HA and Waverley Steam Navigation Co Limited, a company and charity registered in Scotland with company number SC050789 and charity number SC005832 with its registered office at Waverley Terminal, 36 Lancefield Quay, Glasgow G3 8HA (together “Waverley”). This privacy notice is issued on behalf of each of the above mentioned entities, so when we use the terms “we”, “us” or “our” in this privacy notice, we are referring to the relevant Waverley entity responsible for processing your data. We will let you know which entity will be the controller for your data when you contract with us.
We strive to protect the privacy of all personally identifiable information collected during the course of our activities and it is important for you to know how we process your data. We will process your personal information under the terms of this policy and in accordance with any agreement with you.
We are a “data controller” in terms under data protection laws (including from 25 May 2018, the EU General Data Protection Regulation 2016 and the Data Protection Act 2018) (“Data Protection Laws”).
We need to process personal data relating to our suppliers, customers, potential customers, volunteers and donors in order to function effectively as an organisation, ensure good governance, for audit purposes, to perform our business and to enable us to meet our legal obligations as an employer and as a registered charity.
Personal data is processed for commercial, charitable, administrative, statutory and marketing/promotion purposes. All such personal data is collected and held in accordance with all applicable Data Protection Laws.
What personal information will Waverley use?
This list includes all the ways we may use your personal information, and which of the reasons we rely on to do so. This is where we tell you what our legitimate interests are.
Where do we obtain your information?
In most cases we will obtain this information from you directly. We obtain customer data when bookings are made with us over the phone or online. We obtain employees of our suppliers or contractors data when we are arranging for their services to be provided to us and when receiving invoices. We obtain donor data when a donations is being made. We obtain volunteer data when individuals contact us about becoming volunteers or sign up to become volunteers. We obtain potential customer data when these individuals sign up to receive our communications via telephone or our website.
We process the personal data referred to above for the purposes of any contract or potential contract with our suppliers and customers; or for our legitimate interests in order to function effectively as an organisation, to ensure good governance, for audit purposes, to perform our business and charitable activities; and to enable us to meet our legal obligations that we may be subject to as an employer, a trust and as a registered charity.
Who do we share your information with?
The information you provide to us may be accessed by our staff, our trustees, our auditors, our professional advisors and carefully selected third parties in the course of providing services to us under suitable obligations of confidentiality.
In particular, where you are a donor and able to claim Gift Aid then we will share your information with Her Majesty’s Revenue and Customs (“HMRC”).
We may also use information in aggregate, where personally identifiable information is removed, for marketing and strategic development to improve and support our activities.
We employ administrative, electronic and physical security measures to ensure that the information that we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.
Please be aware that unfortunately the transmission of information via the internet or by email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of the data transmitted to us and any transmission is at your own risk.
The period for which the personal data will be processed
We will retain personal data securely and only in line with how long it is necessary to keep for the purposes or for a legitimate and lawful reason.
Our typical retention periods are as follows:
|Personal Data Held Within:||Retention Period:|
|Customer contracts and documentation||7 years from the date of expiry or termination of a contract/relationship|
|Supplier contracts and documentation||7 years from the date of expiry or termination of the last supplier contract|
|Information relating to donors||5 years from the end of relationship or last correspondence|
|Information relating to volunteers||5 years from the end of relationship or last correspondence|
|Marketing list names and emails addresses||5 years if the recipient has not responded positively to a marketing or promotional email in such 5 year period|
|Documentation relating to potential customers and/or people interested in our services||5 years from the end of relationship or last correspondence|
Some personal data may be retained for longer where it is in our legitimate interest to do so, such as to protect and defend our legal rights; or for research, archiving or statistical purposes. Individuals can request that other information relating to them be erased and we will deal with such requests in accordance with the law.
Transfers outside the European Economic Area
We, or carefully selected third parties that we contract with, may send personal data to countries outside the European Economic Area (‘EEA’). If and when this occurs, there will be protections in place to ensure the recipient protects the data to the same standard as the EEA. The protections include:
- transferring to a non-EEA country with privacy laws that give the same protection as the EEA.
- putting in place a contract with the recipient that means they must protect personal data to the same standards as the EEA.
- transfer personal data to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for personal data sent between the US and EU countries which makes sure standards are similar to what is used within the EEA.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Privacy Manager in writing (contact details can be found at the bottom of this notice).
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In any circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Privacy Manager (contact details can be found at the bottom of this notice). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
For more information and guidance about any of these rights please go to the website of the Information Commissioner’s Office at https://ico.org.uk/.
If you think there is an issue in the way in which we handle your personal data, you have a right to raise a complaint with the Information Commissioner’s Office. Their website contains details of how to make a complaint. However, we request that you give us the opportunity to deal with your complaint in the first instance.
Changes to this Privacy & Fair Processing Notice
We keep our Privacy & Fair Processing Notice under regular review and reserve the right to update and amend it. This notice was last updated in April 2020.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. The cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
Anonymous visitor statistics cookies
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
For further information about the proposed data sharing set out in this notice, or about any aspect of Waverley and the processing of your personal data, please contact our Data Privacy Manager:
|Telephone:||0141 243 2224|
|Address:||FAO Data Privacy Manager
Waverley Excursions Ltd.
36 Lancefield Quay
Glasgow G3 8HA