The General Data Protection Regulation (GDPR) became law in the European Union (EU) on May 25th, 2018. It provides for higher standards of data protection for individuals and imposes increased obligations on organisations within the EU that process personal data. This document explains how we fulfil our obligations for protection of your personal data under the GDPR.
The GDPR provides for six legal bases for processing of personal data. We will detail below the basis on which we process each category of personal data that we collect and store.
The GDPR further provides that personal data shall be retained for no longer than is necessary for the purposes for which it is being processed. We will detail below our policy regarding retention of each category of personal data that we process. Our retention policies will in all cases be qualified with reference to our email retention and security policy which will also be detailed below.
The information relating to you that we process falls into three broad categories
We will need you to provide us with:
your name, in order to establish our contractual relationship, and
your contact details, in order that we can communicate with you.
The legal basis for processing this data is that processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Many of our customers return for second, third or more tours with us. On the basis that you may decide to return to do a subsequent tour with us, unless you instruct us otherwise we will retain your name and contact details for a period of seven years following your most recent tour with us. After seven years, we will review the personal data we hold about you and decide whether to retain it for a further three years or to delete it. If we retain it, and if at the end of the three-year period you have not expressed an interest in returning for another tour, we will then delete all personal data we hold about you.
We will ask you to provide us with:
emergency contact details, in order that we may contact somebody in the event of an emergency while you are in our care. You must inform your emergency contact(s) that you are providing us with their contact details and that we will process those details according to the terms of this policy. You should give them this link where they can read the policy: https://www.inishfreetours.com/privacy-policy/.
biographical details, to enable us to compile a document for circulation to all members of the tour containing brief introductory biographical information for everybody on the tour. You should be aware that the “Introductions” document that we compile may be printed by other guests on your tour and by our guides and drivers. We will instruct our guides and drivers to destroy their copies of the document when your tour finishes, but we have no control over what other guests do with their copies. You may choose, at your own absolute discretion, not to supply biographical details to us.
The legal basis for processing this data is that the data subject has given consent to the processing of his/her personal data for one or more specific purposes.
We will delete the emergency contact details you provide to us no later than one week after the end of your tour.
Due to the high volume of repeat business, unless you instruct us otherwise we will retain your biographical details for a period of seven years following your most recent tour with us. After seven years, we will review the biographical data we hold about you and decide whether to retain it for a further three years or to delete it. If we retain it, and if at the end of the three-year period you have not expressed an interest in returning for another tour, we will then delete all biographical data we hold about you.
In the normal course of our business with you, we will not need to store any details relating to your bank or credit card accounts. Your payments to us will most likely be made using a third party service provider. We use well established and reputable payment processing companies and we are satisfied that security of your financial information is a priority for them. Since we have no way of verifying their security practices and procedures ourselves, we cannot accept any responsibility for failures on their part to protect any data you provide to them to facilitate payment of funds that you owe to us.
Occasionally, we may need to ask you to provide us with your own bank or credit card details in order to facilitate payment of funds that we may owe to you.
The legal basis for processing this data is that processing is necessary for the performance of a contract to which the data subject is party.
We will delete your financial information when we have fulfilled the contractual obligation that required us to collect it.
You may wish to inform us about medical issues or considerations that may be, or may become relevant during your tour. These are known as “special category data” under the terms of the GDPR, and we need to obtain your consent to process them. Such data may include but are not limited to details of medical conditions, allergies and food intolerance. It may become necessary to share these data with third parties such as medical professionals, accommodation providers and restaurants. This data will only be shared with a third party if you request us to share it or if it becomes necessary to share it in order to protect your interests. By consenting to our processing of this category of data you are giving us permission to share it when appropriate.
The legal basis for processing your special category data is that the data subject has given consent to the processing of his/her personal data for one or more specific purposes, and the condition for processing under Article 9(2) of the GDPR is that the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
You have the right at any time to withdraw your consent for processing of this type of data. You should notify us by email at firstname.lastname@example.org if you wish to withdraw your consent for processing of special category data.
Special category data that we process will be deleted no later than one week after the end of your tour.
You have the following rights:
Please note that we do not carry out any form of profiling or automated processing of personal data.
You have the right at any time to make a complaint about how we have processed your personal data. The GDPR supervisory authority in Ireland is the Data Protection Commission and you should make your complaint to this office through the Commission’s website: https://www.dataprotection.ie
Transfers of data outside the European Union are a necessary feature of our business. Such transfers are governed on the basis of “Adequacy Decisions” made by the European Commission. The publication of an Adequacy Decision by the Commission means that the Commission is satisfied that the country concerned provides adequate protection for personal data transferred to that country. The Commission has published adequacy decisions in relation to the following countries:
This list may be updated from time to time.
If you communicate with us from a country for which there is no Adequacy Decision, you should be aware that your personal data may not be secure.
As you know, email has become a ubiquitous and essential tool of business. It is the primary means by which we will communicate with you and our email correspondence will necessarily include most, if not all of the personal data that you share with us. It will also necessarily include non-personal data which we may need to use for a variety of purposes such as
Furthermore, it is a feature of our business that we regularly maintain correspondence with our customers after their tours on a personal and social level.
It therefore becomes impossible for us to maintain complete separation between business and personal correspondence, especially where such correspondence features email threads. We retain emails online for a period of 6 years and use established 3rdparty email service providers to administer our email system. With the exception of correspondence that may be required for dispute resolution or litigation defence, we archive all business emails after 6 years. We cannot ourselves test 3rdparty service providers’ security protocols and therefore we cannot accept any responsibility for breaches of data security by our 3rdparty service providers.
We occasionally provide links to websites of 3rd parties such as payment processors, data regulators and our tour leaders. While we endorse these 3rdparties, we cannot be responsible for the content, performance, usability or security of their websites.