We respect your privacy and are committed to protecting your personal data. This privacy notice will tell you how we look after your personal data and about your privacy rights. It supplements any other notices and is not intended to override them.
We have tried to be brief and clear. We are happy to provide any additional information or explanation.
This version was last updated on 14th May 2018, and historic versions can be obtained by contacting us.
It is important that the personal data we hold about you is accurate and current. Please keep us informed of any changes.
The Data Controller (the legal entity which makes decisions about how your personal data is used) is Waveney River Centre (2003) Ltd, registered company 04887417.Our registered office is Hanworth House, 43 Bull Street, Holt, Norfolk, NR25 6HP
Our trading address is Waveney River Centre, Burgh St Peter, Norfolk NR34 0BT
Waveney River Centre and The Waveney Inn are trading names of Waveney River Centre (2003) Ltd.
Tel. 01502 677343
Email: [email protected]
We collect personal data in the following ways:
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.
We will only use your personal data when the law allows us to.
We have set out below how and why we plan to use your personal data.
We process your personal data for the purposes of:
The legal basis for processing your data in relation to bookings is that it is necessary for the performance of the booking contract, or because you have asked us to take specific steps before entering into a contract.
We process your personal information for the purposes of marketing our services in the form of email newsletters and/or printed brochures. We only send you marketing materials when you have given clear and verifiable consent for us to do so, and you can withdraw this consent at any time (see ‘right to withdraw consent’).
The legal basis for processing your data in relation to marketing is that you have given your consent for this purpose.
We process your personal information when you connect to our WiFi network, so that we can ensure that our internet connection is used in accordance with the law, and with our terms & conditions. The legal basis for processing your data in relation to WiFi access is that it is in our legitimate interest.
You will also be offered the opportunity of receiving marketing information when you connect to our WiFi network, but you may decline.
Our WiFi service is managed on our behalf by Purple WiFi, who collect your information either directly via a form, or via your chosen social media account.
In the interests of good customer service, we retain your personal information after your booking has ended, so that:
The legal basis for processing your data in relation to customer service is that it is in our legitimate interest. You may opt out of marketing communications at any time.
We will also process your personal information if we are specifically required to do so in order to comply with a legal obligation imposed upon us.
The categories of personal data which we process are:
We do not process any special categories of information as defined by the EU General Data Protection Regulation. This is data which is considered to be more sensitive, such as race, politics or religion, sexual orientation or biometric data.
We do not knowingly collect data relating to children.
CCTV operates throughout the park for the purposes of crime detection and the safety of our staff and guests. CCTV coverage is retained for between 7 & 14 days, but we do not operate any facial recognition or other technology which would automatically identify indidivuals.
We never sell or pass on your personal data to any other organisation without your express consent, other than for processing data on our behalf in accordance with this policy.
We use the following external organisations for processing data on our behalf and may add others without updating this policy:
It may also be necessary to share your personal data with our professional advisors (including lawyers, bankers, auditors and insurers) and with HRMC, regulators and other statutory authorities, in order to comply with our legal obligations.
We may also share your personal data with any third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We do not explicitly pass personal data to any organisations outside the European Economic Area. However, organisations processing data on our behalf, such as cloud-based marketing or backup services, may store data on servers based outside the EEA.
When you create a booking, and when you connect to our WiFi network, we require you to provide personal information which allows us to identify you and contact you. Failure to provide this information, or deliberately giving incorrect details, is a breach of our terms and conditions and may result in cancellation of our contract with you.
We do not carry out automated decision making or customer profiling in relation to contracts.
We may use address profiling to target opted-in marketing information, in order to provide you with more relevant information.
We use third party information processing companies, such as Facebook and Google, to target marketing information based on personal information which you have provided to those organisations. We do not have access to your personal information, unless you have expressly granted consent for your information to be passed on to us.
All data obtained by consent (for example for marketing purposes) is retained until you withdraw your consent. We may also remove your information if we no longer need it.
Personal data relating to bookings is retained for a period of 3 years after your last booking, unless you ask us to remove it sooner.
Personal data is always retained for a period of 6 months after the end of a booking, even if you ask us to remove it, in order to protect ourselves from payment card chargebacks, and to enable the information to be provided by the police or another statutory authority in relation to any incident during your booking.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
The General Data Protection Regulation gives you a number of rights to help protect your personal data.
You have the right to see all personal data which we hold on you. This is commonly known as a Subject Access Request.
If you make a Subject Access Request we will provide you with all the personal information which we hold relating to you. We can only provide your own personal information, unless we are satisfied that you are entitled to act on behalf of another person. It is your responsibility to provide evidence of this entitlement.
You have the right for any inaccurate personal data about you to be rectified, or completed if it is incomplete.
You have the right for your personal data to be erased (sometimes known as ‘the right to be forgotten’).
This right is not absolute, but we will erase your personal information at your request as long as it is no longer necessary for the purpose for which we originally collected or processed it and there is no other overriding legitimate interest for us to continue retaining your personal data.
When we delete your personal information, we do not delete details of bookings which you have made, but we ‘anonymise’ them so that they cannot be linked back to you.
You may also ask us to restrict processing of your data, for example whilst we correct inaccurate personal information, or to stop processing it altogether (the right to object).
You have the right to data portability, which means that you can ask us to pass your data on to a third party. We will use all reasonable means to comply with such a request and will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
Where the legal basis for processing your data is consent (for example a marketing opt-in) you have the right to withdraw consent at any time.
All requests relating to provision of information, data removal or other rights can be made verbally, in writing, or by emailing [email protected]
We will process your request within 28 days of the date when we receive it.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns first.