This privacy notice explains how Bourne Leisure LTD may use your personal data in order to meet the unprecedented challenges of the COVID-19 pandemic, whilst supporting our guests, local community and team members and continuing to provide you with memorable holidays.
Bourne Leisure LTD is committed to protecting your privacy. We will only process personal data that we need to, and we will use anonymised data where it is possible and most appropriate to do so. We will only retain your data for as long as is required to provide support to you or others because of the COVID-19 pandemic, after which time we will securely destroy it, unless there is a requirement by law to keep it for a longer period.
Important information and who we are
Bourne Leisure LTD is the data controller and is responsible for your personal data. Our business is organised into three main brands, Butlins Skyline LTD, Haven Holidays and Warner Leisure Hotels.
If you have any questions about this privacy notice or our data protection practices, please contact the DPO on the details provided below:
Our full contact details are:
Data Protection Officer – Gemma Haines
Email address: Privacy@Bourne-leisure.co.uk
Write to us at: 1 Park Lane, Hemel Hempstead, HP2 4YL
How we collect personal data from you
We may collect personal data from you when you visit our websites, speak to us on the telephone, contact us in writing, by email or any other type of electronic communication, or talk to us face to face.
The personal data we collect about you
We may collect, use, store and transfer some or all of the following personal data, which may include special category (sensitive) data, e.g where a guest, owner or team member reports unwell, during or after a visit. In this scenario we would endeavour to collect only the information we need to manage the risks on-site. We will always follow the principle of adequate, relevant and limited to what is necessary, and in any case this would be limited to:
- Basic personal information, e.g. your name (only if required)
- Contact information
- Car registration
- Booking information e.g. accommodation number/date of stay
- Information about other guests in your party (only if required)
- Basic health details (this would be the minimum required for the purpose and we would not ask for details of underlying health conditions or symptoms) e.g. if you report to us that you feel unwell, we may ask if you are experiencing Covid Symptoms but we would not ask what those symptoms are.
Why we might use your personal data
We may use your personal data for the following reasons:
- Management and monitoring of health and safety risks
- Controlling the spread of infection
- Contributing to test and trace in order to assist the NHS (if required)
- Providing support to individuals (where appropriate)
- Safeguarding individuals who are in high risk categories and would be considered vulnerable if they were infected
- To ensure essential service provision is identified and supported
- Conduct emergency planning
How we may collect and share your personal data
Apart from personal data which we may collect directly from you, we may also obtain personal data from, and share it, with:
- Internal departments within the business (where appropriate)
- Public Health England
- Police and medical professionals
- Service providers who are commissioned to provide services on our behalf
- Local councils and government agencies (if required by law)
- Family, relatives and carers (where appropriate)
This list is not exhaustive, but Bourne Leisure LTD will only collect and share personal data where we are permitted to do so by law and in this situation would endeavour to provide the minimum required to satisfy the purpose.
What is our lawful basis for processing your personal data?
The General Data Protection Regulation (GDPR) requires specific conditions to be met to ensure that the processing of personal data is lawful.
The GDPR allows competent authorities, employers and organisations to process personal data in the context of an epidemic on the basis this is done so in accordance with the national law and in line with the conditions available. For example, when processing is necessary for reasons of substantial public interest in the area of public health. Under those circumstances, there is not a requirement to rely on consent of individuals.
The relevant conditions we have identified are set out below:
- Article 6(1)(B) - Processing is necessary for the performance of a contract
- Article 6(1)(F) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
- Article 6(1)(D) - Processing is necessary in order to protect the vital interests of the data subject or another natural person, this is only relevant in an emergency situation and is only likely to apply in cases where an individual cannot consent to the sharing of data for themselves due to incapacity
- Article 6(1)(C) - Processing may be necessary where we have a legal obligation relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health
The processing of special categories of personal data, which may include data concerning a person's health are prohibited unless specific further conditions can be met. These further relevant conditions are set out below:
- Article 9(2)(A) - The data subject has given explicit consent to the processing of those personal data for one or more specified purposes
- Article 9(2)(B) - Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment social security and social protection law.
- Article 9(2)(C) - Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- Article 9(2)(I) - Necessary for reasons of substantial public interest in the area of public health
Where the processing of special categories of personal data relates to employment or health we are also required to satisfy conditions from Schedule 1 of the Data Protection Act 2018. These have been set out below:
Schedule 1, Part 1(1) (DPA) – is necessary for the performance or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, e.g. Health and Safety at Work Act 1974.
Schedule 1, Part 1(3) (DPA) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, e.g. https://www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace
How long will my personal data be retained?
We will only keep your information for as long as it necessary, taking into account Government advice and the on-going risk presented by Coronavirus.
When the information is no longer needed for this purpose, it will be securely deleted.
Where consent applies, you can withdraw your consent at any time. Please contact the DPO stating your request. Remember to tell us which brand your request applies to and provide us with sufficient information to enable us to identify you.