The Graythwaite Estate is committed to protecting and respecting your personal data and privacy. This privacy notice relates to our use of any personal data we collect from you from any of our services. Whenever you provide such information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal data and The General Data Protection Regulation 2018 (GDPR).
Who is Collecting and Using Your Personal Data?
The Graythwaite Estate. You can contact us via email: firstname.lastname@example.org
Purpose of Processing and Legal Basis
You may give your personal details to the Estate by purchasing a product or service in person, by phone or by using our website, making a booking for a holiday cottage, booking wedding venue/event hire, applying to lease a property, ordering goods and services, engaging with us on social media, contacting us by any means with queries, complaints etc., choosing to complete any surveys we send you, entering prize draws or competitions, commenting on or reviewing us, asking us to send you e-newsletters, giving a third-party permission to share with us the information they hold about you, applying for work either as an employee or contractor/supplier or, in some circumstances, your personal details may have been provided to us by another person, e.g. a referral.
We may collect data from publicly available sources (such as Land Registry) when you have given your consent to share information or where the information is made public as a matter of law
Your image may be recorded on CCTV when you visit the grounds of the Estate.
In any case the Estate must have a legal basis for processing your personal data. We will only use your personal data in accordance with the terms of a contract and our privacy notice.
The legal basis we rely upon when processing your personal data are:
Legal Obligation: To comply with the law, e.g. HMRC and Tax legislation.
Contractual Obligation: Lease obligations, supply agreements, employment.
Legitimate Interest: For marketing and public relations in relation to our services in order to improve the services we offer.
Consent: Where we have explicitly obtained your consent to share your data with other parties e.g. to provide an employment or credit reference about our service provision.
Vital Interest of Data Subject: In the event of an emergency, the limited information we hold on you would be provided to emergency services as necessary.
When we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:
The purpose test: Is there a legitimate interest behind the processing?
Necessity test: Is the processing necessary for that purpose?
Balancing test: Is the legitimate interest overridden, or not, by the individual’s interests, rights or freedoms?
How is My Personal Data Being Used?
Your personal data will be processed on a need-to-know, confidential basis by members of the team. It may also be processed by third parties such as third-party holiday booking companies, cloud backup providers, website hosting companies, IT managed service providers, privacy consultants, accountants, statutory bodies, and similar as required. Everyone with access to your data will treat it confidentially and in a GDPR compliant fashion.
We may also disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets; or
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect our rights, property, or safety, or that of our clients, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We only process data that is necessary for our purpose and we only keep it for as long as we have to.
The Regulations are particular about where data is processed and some internet and other services work through contracts with overseas companies. We will not transfer your data to ‘Third Countries’ however some of our processors may do and where this is the case we have ensured that they are using GDPR recognised means of doing this such as Binding Corporate Rules or the EU-US or Switzerland – US Privacy Shield. If you would like to view the documentation relating to any such transfers, we will be happy to provide you with it.
Our security measures include two-factor authentication, state of the art malware (anti-virus) endpoint protection, password protection, email encryption, computer monitoring, update management, staff training, intruder alarms, and CCTV.
How Long Will We Keep Your Personal Data?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
Will You Sell my Data or Use it for Marketing?
We will not sell your data to third parties.
Combining Your Data for Personalised Direct Marketing
We want to bring you information, offers and promotions that are most relevant to your interests at particular times. To help us form a better, overall understanding of you as a customer, we may combine your personal data gathered across the Graythwaite Estate. For this purpose, we may also combine the data that we collect directly from you with data that we obtain from third parties to whom you have given your consent to pass that data onto us – such as the Land Registry mentioned above.
What Are My Rights?
The GDPR gives you several rights such as the right to:
- ask to see what data we process for you – this is called a subject access request (SAR)
- withdraw consent given to processing of your personal data
- ask us to rectify inaccuracies – and we ask that you keep us up to date with any changes to your contact details
- request erasure of your personal data
- object to us processing your personal data
- request restriction to processing data concerning you (normally this would be while we look at an objection to us processing your data. There are other situations where this applies too, get in touch if you need more info)
- portability of your data – In some cases you can request your data in a form that makes it easy to take to another processor.
- lodge a complaint with a Supervisory Authority (within the UK this would normally be the Information Commissioner’s Office – http://www.ico.gov.uk)
Do I Have to Give You My Data?
No, apart from where there is a statutory or contractual requirement for you to give us your data you are under no obligation to share your data with us.
If you don’t share your data with us we may have difficulty providing some elements of our service. This is not practical or helpful to expand on this here, but we will discuss it with you should the situation arise.
Do You Use Automated Decision-Making or Profiling?
Complaints or Queries
Any requests about the personal details held by the Estate or how we use this data or confirmation that you wish to exercise your rights under GDPR should be addressed to:
The Data Protection Manager, Graythwaite Estate Office, Ulverston, Cumbria, LA12 8BA
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/.
If You Are Still With Us…
Hopefully, we have made this as open and transparent as possible.
If you have any questions about how your data is handled just ask, we will be happy to explain.