Privacy Policy
Registered office: 16 Royal Crescent, Bath, BA1 2LS United Kingdom
This is the Privacy Notice of The Royal Crescent Hotel & Spa (company number 07572807) and whose registered office is at 16 Royal Crescent, Bath, BA1 2LS. Where this Privacy Notice refers to “the RCH”, “we”, “us” or “our”, it is referring to The Royal Crescent Hotel & Spa. This Privacy Notice sets out how we collect and process your personal data. This Privacy Notice also provides certain information that is legally required and lists your rights in relation to your personal data. Please read this Privacy Notice to understand how we may use your personal data.
This Privacy Notice relates to personal information that identifies “you” meaning a customer or potential customer, individuals who browse our website or individuals outside our organisation with whom we interact. If you are an employee, contractor or otherwise engaged in work for us or applying to work for us, a separate privacy notice applies to you instead.
We refer to this information throughout this Privacy Notice as “personal data” and section 3 sets out further detail of what this includes.
This Privacy Notice may vary from time to time so please check it regularly. This policy was last updated on 29.7.19.
How to contact us
Data controller and contact details
For the purposes of relevant data protection legislation, we are a controller of your personal data and as a controller we use the personal data we hold about you in accordance with this Privacy Notice.
If you wish to correct your personal data held by us or to opt out at any time from receiving marketing correspondence from us or to alter your marketing preferences please contact us directly at GDPR@royalcrescent.co.uk, or see our website at www.royalcrescent.co.uk.
If you need to contact us in connection with our processing of your personal data, then our contact details are GDPR@royalcrescent.co.uk.
Data Protection Officers
Our Data Protection Officers can be contacted by email at GDPR@royalcrescent.co.uk.
Personal Data which we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
The categories of personal data about you that we may collect, use, store, share and transfer are:
- Advertising Data. This includes personal data which relates to your advertising preferences, such as information about your preferences in receiving marketing materials from us and your communication preferences;
- Information Technology Data. This includes personal data which relates to your use of our website, such as your internet protocol (IP) address, login data, traffic data, weblogs and other communication data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website;
- Individual Data. This includes personal data which relates to your identity, such as your first name, middle name, last name, username or similar identifier, marital status, title, date of birth, place of birth, passport number and gender;
- Account and Profile Data. This includes personal data which relates to your account or profile on our website, such as your username and password, proposals and bookings made by you, your interests, preferences, feedback and survey responses;
- Usage and Operational Data. This includes personal data which relates to your usage and operation of our website, such as information about how you use our website, products and services;
- Economic and Financial Data. This includes personal data required for us to process your booking in line with our obligations under the Payment Card Industry Data Security Standard (PCI) and for the prevention of fraud;
- Enquiry and Sales Data. This includes personal data which relates to the transactions you have conducted with us, such as details about payments to and from you, details of subscriptions to our services or publications and other details of products and services you have purchased from us;
- Market Research Data. This includes personal data which is gathered for the purposes of market research, such as price comparison information;
- Health Data. This includes personal data which is gathered for health and safety purposes including any accident report or claim log or any information you provide about allergies or other medical conditions during the booking process or in one of our locations;
- Communication Data. This includes personal data which relates to a method of communication such as your billing address, delivery address, email address and telephone numbers.
We may also create Personal Data about you, for example, if you contact us by telephone to make a complaint, for example about our services or goods, then we may make a written record of key details of the conversation so that we can take steps to address the complaint.
We also obtain and use certain aggregated data such as statistical or demographic data for any purpose (“Aggregated Data”). Aggregated Data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your Operation Data to calculate the percentage of users accessing a specific feature on our website. However, if we re-combine or re-connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.
In addition, we may obtain certain special categories of your data (“Special Categories of Data”), and this Privacy Notice specifically sets out how we may process these types of personal data. The Special Categories of Data are data relating to sexuality, religious beliefs or health.
We collect information about Criminal convictions and Offences.
The sources from which we obtain your personal data
We obtain your personal data from the following sources:
Directly from you, either in person (at our locations or otherwise), via our website, via email or by telephone. This could include personal data which you provide when you:
- request a brochure;
- submit an enquiry,
- contact our reservations team
- apply for our products or services, including where you sign up or make a contribution to a gift vouchers
- browse our website
- subscribe to our service or publications;
- request marketing to be sent to you;
- enter into a competition or promotion;
- complete a survey from us;
- make a reservation
- sign up for spa membership
- save a quote/booking from us,
- enter details at an event.
- send an email to us
- engage with us on social media
Automated technologies, such as cookies, server logs, web analytics, and other similar technologies.
Third parties, such as:
- analytics providers;
- search information providers
- providers of technical, payment and delivery services;
- partnerships;
- online booking providers
- advertising networks;
How we use your personal data & our basis for using it
Where we are relying on a basis other than consent
We may rely on one or more of the following legal bases when processing your personal data. We have set out below the purposes for which we may process your personal data and the relevant legal basis upon which we will rely (this is what the law allows us to do):
For managing your booking we will use information provided by you to deliver our products and services. This includes booking hotel rooms, spa membership, spa visits, conferences & events. We will rely on the following legal basis to process this personal data:
- the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
To make suggestions and recommendations to you about our products and services that may be of interest to you, for determining and measuring the effectiveness of promotional campaigns and advertising and making sure our marketing is relevant to you. We will rely on the following legal basis to process this personal data:
- the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data;
To deal with your enquiries, to send you information you have requested or to provide you with important-real time information about our products and service you have ordered from us (e.g. a change necessitated by unforeseen circumstances). We will rely on the following legal bases to process this personal data:
- the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data;
- the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
For the development, delivery and improvement of our products and services, marketing and social media activities, customer relationships and experiences in the provision of products and services to our customers. We will rely on the following legal basis to process this personal data:
- the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data;
To help us develop our website to be more useful to you and our customers, for identifying usage trends and for internal purposes of research, analysis, testing, monitoring, customer communication, risk management and administrative purposes, to help us define types of customer for our products and services, to keep our website updated and relevant and to develop our marketing strategy. We will rely on the following legal basis to process this personal data:
- the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data;
Where you have submitted a job application we may for a reasonable period of time keep your details on file for future reference should a suitable position subsequently become available and we may send you information about job opportunities. We will rely on the following legal basis to process this personal data:
- the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data;
To protect our rights or property (including our website), administer and improve our IT services and network security, prevent fraud and facilitate any business reorganisation exercise. We will rely on the following legal basis to process this personal data:
- the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data;
In order to comply with our own legal obligations, e.g. health and safety legislation, or to assist in an investigation (e.g. from the Police). We will rely on the following legal basis to process this personal data:
- the processing is necessary for compliance with a legal obligation to which we are subject;
In order to use your personal data in life or death situations where there is no time to gain your consent (e.g. in the event of an accident and we have to give personal details to medical personnel). We will rely on the following legal basis to process this personal data:
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
In an official role which we have been designated to carry out by an official authority (e.g. the government), or where we are otherwise carrying out tasks which are in the public interest (e.g. which have been designated as such by the government, or which would otherwise be deemed in the public interest). We will rely on the following legal basis to process this personal data:
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Special Categories of Data
In addition, we may lawfully process Special Categories of Data in certain ways. We set out below the purposes for which we may process Special Categories of Data along with the legal bases on which we process these Special Categories of Data (this is what the law allows us to do):
We may need to process your health information (for example to enable us to make arrangements for special assistance and any dietary preferences). In relation to the processing of such Special Categories of Data:
We rely on the following legal basis to process such Special Categories of Data:
- the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Additionally, we can only process such Special Categories of Data where:
- The processing is necessary in order to protect the vital interests of you or another individual where you or the individual is physically or legally incapable of giving consent;
- The processing is necessary for reasons of public interest in the area of public health for example:
- protecting against serious cross-border threats to health;
- ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices;
We may need to disclose any Special Categories of Data we hold on you, where to do so is in the substantial public interest (for example your health information in order to prevent an epidemic, in the event of illness or injury or some other related emergency, to record any accident or injury or other incident you may suffer when visiting our location or to arrange for you to receive medical assistance), provided that when we do so we provide suitable measures to protect your rights. In relation to the processing of such Special Categories of Data:
We rely on the following legal basis to process such Special Categories of Data:
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Additionally, we can only process such Special Categories of Data where:
- The processing is necessary for reasons of public interest in the area of public health for example:
- protecting against serious cross-border threats to health;
- ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices;
We may need to process information about your religion (for example to enable us to provide you with a meal indicating a particular religion e.g. halal or kosher). In relation to the processing of such Special Categories of Data.
We rely on the following legal basis to process such Special Categories of Data:
- the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
Additionally, we can only process such Special Categories of Data where:
You have given us explicit consent to the processing of such Special Categories of Data for the purpose. You may at any time withdraw this specific consent but we will be unable to fulfil your booking in such event and we may have to cancel your booking.
We will always attempt to minimise the amount of sensitive personal data collected unless there is a specific lawful reason (e.g. an emergency situation).
Who receives your personal data
We may disclose your personal data to:
- our third party suppliers or sub-contractors who may process data on our behalf to enable us to provide you with our services. Any such disclosure will only be so that we can process your personal data for the purposes set out in this Privacy Notice;
- our group companies and affiliates or third party data processers who may process data on our behalf to enable us to carry out our usual business practices. Any such disclosure will only be so that we can process your personal data for the purposes set out in this Privacy Notice;
- HMRC, legal and other regulators or authorities, including those who request your personal data or to report any potential or actual breach of applicable law or regulation;
- external professional advisers such as accountants, bankers, insurances, auditors and lawyers;
- law enforcement agencies, courts, immigration authorities, customs and excise authorities or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights;
- third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
- third parties which are considering or have decided to buy some or all of our assets or shares, merge with us or to whom we may transfer our business (including in the event of a reorganisation, dissolution or liquidation);
- third parties operating plugins or content (such as Facebook, Twitter, Instagram) on our website which you choose to interact with;
Personal data about other people which you provide to us
If you provide personal data to us about someone else you must ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this Privacy Notice.
You must ensure the individual concerned is aware of the various matters detailed in this Privacy Notice, as those matters relate to that individual, including our identity, how to contact us, the way in which we collect and use personal data and our personal data disclosure practices, that individual's right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided.
ACCURACY OF YOUR PERSONAL INFORMATION
It is important that the personal data we hold about you is accurate and current and we take all reasonable precautions to ensure that this is the case but we do not undertake to check or verify the accuracy of personal data provided by you. Please keep us informed if your personal data changes during your relationship with us. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
It is possible that personal data we collect from you may be transferred, stored and/or processed outside the European Economic Area.
In connection with transfers of personal data outside of the European Economic Area, we shall take such steps as are necessary for compliance with the General Data Protection Regulation (EU) 2016/679, for example ensuring that:
- the relevant safeguard in place is the standard data protection contractual clauses between us and the recipient. or
- any such transfer is made on the basis of an adequacy decision, namely:
- the Privacy Shield for transfers to the US; or
- the European Commission has decided that the relevant non-EU country ensures an adequate level of protection.
How long we will store your personal data for
We ensure that we only keep your personal data for the minimum period as is necessary for us to abide by our relevant legal obligations. In relation to personal data relating to your bookings with us, we will store your personal data for 7 years from your departure date. In relation to personal data relating to marketing, we will store your personal data for 7 years from your last interaction with us. We keep the length of time that we hold your personal data under review. These reviews take place annually.
Contractual or statutory requirements on you to provide personal data
In certain circumstances the provision of personal data by you is a requirement:
- to comply with the law or a contract; or
- necessary to enter into a contract.
- You are required to provide personal data which is necessary to comply with the law and the consequences of failing to provide your personal data are the inability for us to fulfil your product or service request.
- It is your choice as to whether you provide us with your personal data necessary to enter into a contract or as part of a contractual requirement. If you do not provide your personal data then the consequences of failing to provide your personal data are that we may not be able to perform to the level you expect under our contract with you. An example of this would be where we are unable to provide you with certain products or services as we do not have your full details, or where we cannot perform our contract with you at all because we rely on the personal data you provide in order to do so.
Your rights in relation to your personal data
Subject to applicable law including relevant data protection laws, in addition to your ability to withdraw any consent you have given to our processing your personal data (see section 5.2.3), you also have a number of rights in connection with the processing of your personal data, including:
- the right to request access to your personal data that we process or control;
- the right to request rectification of any inaccuracies in your personal data or, taking into account the purposes of our processing, to request that incomplete data is completed;
- the right to request, on legitimate grounds as specified in law:
- erasure of your personal data that we process or control; or
- restriction of processing of your personal data that we process or control;
- the right to object, on legitimate grounds as specified in law, to the processing of your personal data;
- the right to receive your personal data in a structured, commonly used and machine-readable format and to have your personal data transferred to another controller, to the extent applicable in law; and
- the right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office or other relevant supervisory body. Please see https://ico.org.uk/concerns/ for how to do this.
If you would like to exercise any of the rights set out above, please contact us using the contact details set out in section 2.
Links to other websites
This policy only applies to us. If you link to another website from our website, you should remember to read and understand that website’s privacy policy as well. We do not control unconnected third-party websites and are not responsible for any use of your personal data that is made by unconnected third party websites.