Privacy Policy
Meridian Reading Limited GDPR and Data Protection / Handling Policy
- Introduction
Meridian Reading Limited (referred to as "the Hotel Group") is committed to protecting the privacy and security of personal data. This policy outlines our commitment to GDPR (General Data Protection Regulation) compliance and sets out how we collect, process, store, and protect personal information in line with data protection laws, including the GDPR.
- Scope
This policy applies to all employees, contractors, third-party service providers, and any individual or entity processing personal data on behalf of the Hotel Group. It covers all personal data collected, whether directly from the data subject, through online or offline services, or from third parties.
- Key Definitions
- Personal Data: Any information related to an identified or identifiable natural person (the “data subject”).
- Processing: Any operation performed on personal data, including collection, storage, use, transfer, or deletion.
- Controller: The entity that determines the purposes and means of processing personal data.
- Processor: The entity that processes personal data on behalf of the controller.
- Legal Basis for Processing Personal Data
The Hotel Group processes personal data lawfully, fairly, and transparently. The legal bases for processing include:
- Consent: Where individuals have explicitly agreed to the processing of their data.
- Contractual Obligation: When processing is necessary for the performance of a contract with the data subject (e.g., booking services).
- Legal Obligation: When processing is required to comply with legal obligations (e.g., accounting, legal disclosures).
- Legitimate Interests: When processing is in the legitimate interests of the Hotel Group, provided these interests are not overridden by the individual’s rights.
- Categories of Data Collected
The types of personal data we collect include, but are not limited to:
- Guest Information: Name, contact details, payment details, passport information, booking history, dietary preferences, and special requests.
- Employee Information: Name, contact details, national insurance number, payroll details, and performance records.
- Supplier Information: Contact information, contracts, and payment details.
- Digital Data: IP addresses, browser information, cookies, and usage data from our website or mobile apps.
- Data Collection Methods
We collect personal data through various channels, including:
- Directly from Guests: Via online booking systems, email, phone, or in-person check-ins.
- Through Third Parties: Travel agencies, tour operators, and online booking platforms.
- From Employees and Contractors: During recruitment, onboarding, and employment.
- Website and Mobile Apps: Automatically through cookies and similar technologies.
- Data Retention
We will retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. We review retention periods for different categories of data regularly and will securely dispose of data that is no longer required.
- Data Security
We take appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage, including:
- Encryption: Encryption of personal data both in transit and at rest.
- Access Controls: Limiting access to personal data to authorized personnel only.
- Regular Audits: Regular reviews and audits of data security measures.
- Incident Response: Having a data breach response plan in place to mitigate and report any data breaches in accordance with legal obligations.
- Data Sharing and Transfers
Personal data will only be shared with third parties when there is a legal basis to do so, and only for the purposes set out in this policy. These include:
- Service Providers: IT service providers, payment processors, and marketing agencies who assist in delivering our services.
- Legal Requirements: Disclosure to law enforcement agencies or regulators as required by law.
- International Transfers: If personal data is transferred outside of the EEA (European Economic Area), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
- Data Subject Rights
Under GDPR, individuals have the following rights regarding their personal data:
- Right to Access: Individuals can request a copy of the personal data we hold about them.
- Right to Rectification: Individuals can request correction of inaccurate or incomplete data.
- Right to Erasure: Individuals can request the deletion of their personal data under certain circumstances.
- Right to Restrict Processing: Individuals can request that we limit the processing of their personal data.
- Right to Data Portability: Individuals can request a copy of their data in a structured, commonly used format.
- Right to Object: Individuals can object to the processing of their personal data based on legitimate interests or direct marketing purposes.
- Right to Withdraw Consent: Individuals can withdraw consent at any time where consent is the legal basis for processing.
- Right to Lodge a Complaint: Individuals can lodge a complaint with a supervisory authority (e.g., the Information Commissioner’s Office in the UK).
- Cookie Policy
Our website and mobile apps use cookies to collect information about user behavior and enhance the guest experience. We will obtain explicit consent before using any non-essential cookies. Details of the cookies used and how to manage them can be found in our Cookie Policy.
- Employee Responsibilities
Employees and contractors who handle personal data on behalf of the Hotel Group must:
- Comply with this policy and all relevant data protection laws.
- Ensure data is processed securely and is not shared without appropriate authorization.
- Report any data breaches or incidents immediately to the Data Protection Officer (DPO).
- Data Breach Reporting
In the event of a personal data breach, we will:
- Take immediate action to contain the breach.
- Assess the potential impact and notify the relevant supervisory authority within 72 hours if the breach poses a risk to individuals' rights and freedoms.
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Training and Awareness
All employees and contractors handling personal data are required to undergo regular GDPR and data protection training to ensure ongoing awareness of their responsibilities and the latest data protection best practices.
- Changes to this Policy
We may update this policy from time to time to reflect changes in our practices, legal obligations, or regulatory requirements. Any significant updates will be communicated to relevant stakeholders.
- Contact Information
For any questions, concerns, or requests regarding this policy or the handling of personal data, please contact our Data Protection Officer (DPO) at:
- Email: christina “@” meridianleisure “dot” com
- Phone: +44 118 944 4242
- Address:
Crowne Plaza Reading East,Wharfedale Road,
Winnersh Triangle
Reading,
RG41 5TS,
United Kingdom
This policy ensures that Meridian Reading Limited adheres to the principles of transparency, accountability, and lawful processing in accordance with GDPR and data protection laws.