This document lays out the procedures and principles of data protection that will be followed by all employees at Off Peak Week Ltd.
GDPR: General Data Protection Regulation
Controller: A Controller determines the purposes and means of processing personal data.
Processor: A Processor is responsible for processing personal data on behalf of a Controller.
Personal Data: The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
As defined above, Off Peak Week acts as a Processor of data and a Controller of data. As a Processor and Controller of personal data we are required under the GDPR to provide information on the following key data protection areas:
As a Controller of personal data we are required under the GDPR to provide information on the following key data protection areas:
GDPR requires that a processor must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing:REF: Information Commissioner
Off Peak Week processes data under the lawful bases of point 1 - consent, point 2 - contract and point 6 - legitimate interest.
Point 1 - Consent - Site users give their consent to process data when they utilise the site.
Point 2 - Contract - Chalets enter into a contract with Off Peak Week Ltd. to process their data.
Point 6 - Legitimate Interest - We use site usage data in ways that site users can reasonably expect and with minimal privacy impact.
Legitimate Interests Assessment
Point 1 - We process data to ensure that site users receive the best service possible.
Point 2 - The data we collect helps further this interest as it allows us to develop the best product for holiday makers and owners. Collecting this data is very unintrusive
Point 3 - This site data is not particularly sensitive or private and it is reasonable to expect to use the data in this way with minimal impact on the user.
Off Peak Week Ltd requires the following personal data as a minimum to use the site:
If you wish to advertise a property then a more extensive list surrounding details about the property can be found in Appendix A.
Off Peak Week Ltd. will not supply any of your data to any third party unconnected to Off Peak Week, and will only use the data you provide to help develop our business and meet the needs of customers and property owners.
It will be necessary, if bookings are made, to share information with the user to ensure that both property owner and holiday maker are aware of what they have booked
Off Peak Week Ltd. is registered with the Information Commissioner’s Office (No.) in accordance with the Data Protection Act of 1998 and the code of practice issued by the regulators of England, Wales and Northern Ireland.
The personal data stored within the Off Peak Week site includes Names, Contact details (email and phone) and the property details which can be found in Appendix A.
The data will only be used within the context of the Off Peak Week business and will only be used to identify the site behaviour and marketing of products site wide. When using the site you will be using a Secure Hyper Text Transfer Protocol (HTTPS) along with Secure Sockets Layer (SSL) Protection. This provides encrypted access to our servers protecting you from others accessing the data. All data is hosted using Amazon S3 Servers, which are secure and encrypted.
We do not store any payment information on our servers, payment information is stored securely in Stripe and is encrypted.
Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centres and utilize the Amazon
Web Service (AWS) technology. Amazon continually m anages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data centre operations have been accredited under:
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
Sarbanes - Oxley (SOX)
Heroku utilizes ISO 27001 and FISMA certified data centres managed by Amazon located in Ireland (EU- West - 1) Amazon has many years of experience in designing, constructing, and operating largescale data centres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.
Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data centre access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centres by Amazon employees is logged and audited routinely.
Under the right of subject access, an individual is entitled to request a copy of the personal data held about them. You can view the majority of this data from your Dashboard under 'Account Settings' in the 'Your Data' section. You can also email us at firstname.lastname@example.org. We will require proof of a persons identify and legitimacy to make the request. Should any request be made, our Data Protection Officer will fully confirm the legitimacy of a request. We will then move forward in providing the data in an appropriate format.
Under GDPR legislation an organisation is not allowed to require an individual to complete a subject access request in a certain format; therefore Off Peak Week Ltd. does not require an individual to complete a specific form to make the request. It is recommended that any request should be sent by email to email@example.com so that we can deal with your request as quickly as possible. Should a subject access request be made to another member of staff or in a different format such as a written letter, all staff are fully aware of GDPR procedures and will take any request and pass them on to the data protection officer.
Off Peak Week Ltd. will meet the GDPR requirements that state the information provided to the individual is in an intelligible form. Any response made by Off Peak Week Ltd. will be sure to include a glossary of terms should any technical information be included that may not be understood by the average person.
The GDPR legislation states companies can charge up to £10 for a subject access request. Off Peak Week Ltd. will not require any charge for any request made.
A data breach occurs when personal information is lost or subject to unauthorised access.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
The Data Breach Response Team has been set up to deal with any form of data breach which can occur.
ICO provides examples of data breaches which range from an email being sent to the incorrect individual through to stolen data from a breach of the database. Off Peak Week Ltd. takes data protection extremely seriously encrypting all data at rest, however if a breach were to occur Off Peak Week Ltd. will contact all users with the following information:
The name and contact details of the data protection officer or the contact point where more information can be obtained;
A description of the likely consequences of the personal data breach
A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
When a data breach occurs, Off Peak Week Ltd. will establish whether the breach needs to be reported to ICO. This is only the case if there is likely to be a risk to people’s rights and freedoms.
Off Peak Week Ltd. will record any breaches that occur even if they don’t need to be reported to ICO.
Any useer that terminates their account with Off Peak Week will have all data removed from Off Peak Week's live database within 1 week of the end of the subscription.
Data will still exist within backups for 3 months after the end of the subscription after which it will be destroyed.
We collect data on how users use the site; this is stored securely in Google Analytics, Stripe, and on our Heroku servers. If you create an account with us then you can view the data that we hold on you by visiting the 'Your Data' page in Account Settings from your Dashboard. If you do not have an account with us then the data that we collect is simply from your behaviour on the site, to allow us to create the best service possible when booking your holiday. Any data saved to your profile may be used to help ensure that any offers sent are hand picked for you. If you would like to remove your profile from Off Peak Week please email us at firstname.lastname@example.org and we will delete your profile, alongside any data you have supplied.
If you wish to update the data we hold on you and are unable to do so from the dashboard then please email us at email@example.com
If you object to the processing of your data or wish to restrict it, then please email us at firstname.lastname@example.org to discuss your site usage and data.
We'd love to send you information about discounts, exclusive offers, and the latest info about Off Peak Week by email. We'll always treat your personal details with the utmost care and we will never sell them on to any other companies for marketing purposes. You can opt out at any time.
This lists the information held on properties listed on Off Peak Week:
Property Let Type
How many beds at your property
How many bedrooms at your property
How many bathrooms at your property
A summary of your property
Your property's address
Type of property
Type of board
A description of the cuisine you offer
What's included with food?
What is included with breakfast?
What is included with afternoon tea?
What is included with dinner?
How many days catering?
Your property's location
What country is your property in?
What resort is your property in?
Your property's distance from slopes
What town is your property in?
Your property's 'Best Bits'
A description of your property
Your property's star rating
Price per person/property
Minimum length of stay
Whether your property has/is:
In house childcare
Lift pass included
Wine with dinner
All rooms ensuite
Ski in and ski out
What's included with accommodation?
What's included with transfers?
What is the checkout time?
What are your booking policies?