DATA PROTECTION POLICY
Berkeley World (including but not limited to Berkeley Travel Limited, Berkeley Lifestyle Elite Limited, Berkeley Bespoke, Berkeley Cryptoworld and Berkeley Real Estate Limited) is committed to all aspects of data protection and takes seriously its duties, and the duties of its staff, under the General Data Protection Regulation.
This policy sets out how Berkeley World deals with personal data, including personnel files and data subject access requests, and staff members’ obligations in relation to the personal data of other members of staff, their clients, contacts, suppliers and any other third party in respect of whom Berkeley World has access to their personal data.
This policy applies to all company staff which for these purposes includes all employees, agents, consultants, other contractors, interns, volunteers and clients.
Data protection officer
Berkeley World’s Director and the Head of HR are the Data Protection Officers and are responsible for the implementation of this policy. If staff or clients have any questions about data protection in general, this policy or their obligations under it, they should direct them to the Director and or Head of HR.
Data protection principles
The General Data Protection Regulation requires that data protection principles be followed in the handling of personal data. This consists of any of the below categories, but not limited to:
- Email address (personal or business)
- Residential / business address
- Phone number
- IP address
- Contact details
- Billing and transaction information, including but not limited to costs, credit card information
- PNR (Passenger Name Record)
- Traveller documentation
- Ticket Number
- Airline locator
- Hotel Reference / Confirmation Number
- Personnel records (including medical records, HR documentation).
These principles require that personal data for both clients and staff must also:
- Be processed fairly and lawfully in line with the individuals’
- Be processed for a specific purpose which is adequate, relevant and not excessive for that
- Be kept accurate and up to
- Be kept for no longer than is
- Be kept secure against loss or
- Not be transferred outside the EU without adequate protection.
- Not be transferred to third parties without prior consent of traveller in question
“Client and Staff Personal data”
The General Data Protection Regulation applies to information that constitutes “personal data”. “Personal data” means information relating to identifiable individuals such as clients, job applicants, current and former employees, agency staff, consultants and other staff, suppliers, clients and marketing contacts. This includes any expression of opinion about the individual and any indication of someone else’s intentions towards the individual.
Consequently, automated and computerised personal data about staff and clients held by Berkeley World is covered by the Regulation. Personal data stored physically (for example, on paper) and held in any “relevant filing system” is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on computer is covered.
A “relevant filing system” means a well-structured manual system that amounts to more than a bundle of documents about everyone which is accessible according to specific criteria.
The use of Client and Staff personal data
The General Data Protection Regulation applies to personal data that is “processed”. This includes any use of the personal data such as, but not limited to, obtaining, retaining and handling it, allowing it to be accessed, disclosed or disposed of.
Berkeley World may process the personal data of clients and staff members in order to comply with its statutory obligations under the company’s guidelines and employment contract with that individual. That data will be held and processed in accordance with this data protection policy.
Berkeley World may process the personal data of its clients, contacts and suppliers and other third parties for the purposes of providing the services of the company and in order to comply with Berkeley World’s contractual obligations. That data will be held and processed in accordance with this data protection policy.
“Sensitive Client and Staff personal data”
“Sensitive personal data” also includes information about an individual’s:
- racial or ethnic origin.
- political opinions.
- religious beliefs or other beliefs of a similar nature.
- trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992).
- physical or mental health or condition.
- sex life.
- commission or alleged commission of any criminal offence; and
- proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
The company will not retain sensitive personal data without the express consent of the individual in question.
The company will process sensitive personal data in relation to staff, including sickness and injury records and references, in accordance with the data protection principles. If the company enters discussions about a merger or acquisition with a third party, the company will seek to protect staff’s data in accordance with the data protection principles.
Staff personnel files
A staff member’s personnel file is likely to contain information about his/her work history with the company and may, for example, include information about any disciplinary or grievance procedures, warnings, absence records, appraisal or performance information and personal data about the staff member including address details and national insurance number.
There may also be other information about the staff member located within the company, for example in his/her line manager/team leader’s inbox or desktop; with payroll; or within documents stored in a relevant filing system.
Berkeley World may collect relevant sensitive personal from staff for equal opportunities monitoring purposes. Where such information is collected, the company will anonymise it unless the purpose to which the information is put requires the full use of the individual’s personal data. If the information is to be used, the company will inform staff on any monitoring questionnaire of the use to which the data will be put, the individuals or posts within the company who will have access to that information and the security measures that the company will put in place to ensure that there is no unauthorised access to it.
Berkeley World will ensure that personal data about a staff member, including information in personnel files, is securely retained. Berkeley World will keep any hard copies of information in a locked filing cabinet. Information stored electronically will be subject to access controls and passwords and encryption software will be used where necessary.
The personal data collected by Berkeley World is to allow the company to comply with its statutory and contractual obligations and will be stored for no longer than reasonable and on most occasions, destroyed at the point the employment contract or contract for services comes to and end.
Berkeley World provides training on data protection issues to all staff that handle personal data in the course of their duties at work. The company will continue to provide staff with refresher training on a regular basis. Staff are also required to have confidentiality clauses in their contracts of employment.
Where laptops are taken off site, staff must follow the Berkeley World’s relevant policies relating to the security of information and the use of computers for working at home/bringing your own device to work.
Staff obligations regarding personal data
If a staff member processes any personal data of any individual, including the personal data of another member of staff or client, in the course of his/her duties, he/she must ensure that:
- the information is accurate and up to date, insofar as it is practicable to do so.
- the use of the information is necessary for a relevant purpose and only used for that purpose.
- that it is not kept longer than necessary.
- the information is secure.
- the individual whose details are being processed has consented to the processing of that personal data; or
- the processing is necessary to perform the legal obligations or exercise the legal rights of Berkeley World; or
- the processing is otherwise in Berkeley World’s legitimate interests and does not unduly prejudice the individual’s privacy.
Where it is necessary for a staff member to process an individual’s personal data for the purposes of providing the services they have requested from the company or to ensure compliance with an employment contract, this will always be acceptable and the staff member is free to do so without needing specific consent from the individual.
Staff should continue to be mindful of their duties under this policy to keep such personal data safe and secure and should consider whether they have the appropriate consent of the individual before sharing any such personal data with a third party. Where personal data is to be shared with a third party for purposes other than those connected to the services being provided to the client or in order to ensure the company’s compliance with any employment contract, staff should ensure the individual has been notified of who and for what purposes the personal data will be processed and for that individual to consent to such processing.
Staff members should ensure that they do not send direct marketing material to an individual electronically unless there is an existing business relationship with the individual in relation to the services being marketed, or the company has their explicit consent to receive such marketing from Berkeley World.
When processing personal data, staff members should ensure that they:
- use password-protected and encrypted software when dealing with personal data and particularly for the transmission and receipt of emails.
- use a secure VPN access when remotely accessing the company’s network and will not attempt to gain access to the network other than by way of the VPN access.
- encrypt any data held on remote devices.
- lock files in a secure cabinet.
- refrain from taking files offsite unless reasonably necessary.
This is not an exhaustive list and all efforts must be made by the staff member to keep any personal data secure.
Where information is disposed of, staff should ensure that it is securely destroyed. This may involve the permanent erasure of the information from the server so that it does not remain in a staff member’s inbox or trash folder. Hard copies of information must be confidentially shredded and not just disposed of in a wastepaper basket/recycle bin.
If a staff member acquires any personal data (including that of another staff member or client, agent or supplier) in error by whatever means, he/she shall inform the Data Protection Officer (Financial Controller) immediately and provide that information to the Data Protection Officer.
A staff member must not take any personal data away from any of Berkeley World’s premises, save in circumstances where he/she has obtained the prior consent of the Data Protection Officer (Financial Controller) to do so.
If a staff member is in any doubt about what he/she may or may not do with personal data, he/she should seek advice from the Data Protection Officer (Financial Controller). If he/she cannot get in touch with the Data Protection Officer (Financial Controller) he/she should not disclose the information concerned.
Data subject access requests
Berkeley World will inform all individuals, of whom the company processes the personal data of, of:
- the types of information that it keeps about him/her.
- the purpose for which it is used; and
- the details of any company that it may be transferred to, subject to obtaining the appropriate consent.
All individuals have the right to access information kept about him/her by the company and the company’s Data Protection Officers (Director and Head of HR) are responsible for dealing with data subject access requests.
If a member of staff receives a data subject access request from any individual, it must inform the Data Protection Officer (Director and Head of HR) immediately. The company is bound to deal with any such requests within one calendar month.
Berkeley World will provide the individual with the information free of charge however a fee may become payable where unreasonable and multiple access requests are made by that individual.
Berkeley World will allow individual access to hard copies of any personal data. However, if this involves a disproportionate effort on the part of Berkeley World, the individual shall be invited to view the information on-screen or inspect the original documentation at a place and time to be agreed by the company.
Berkeley World may reserve its right to withhold the individual’s right to access data where any statutory exemptions apply.
Correction, updating and deletion of data
If an individual becomes aware that Berkeley World holds any inaccurate, irrelevant or out-of-date information about him/her, he/she is entitled to request that such data is corrected, updated or deleted accordingly.
Requests for personal data to be corrected, updated or deleted should be made to the Data Protection Officers (Director and Head of HR) immediately, together with any necessary corrections and/or updates to the information. The company will respond to such requests within one calendar month.
Restriction to processing of data
If an individual believes that the processing of personal data about him/her is inaccurate, unlawful or unnecessary, he/she may notify the company either in writing to the Data Protection Officers (Director and Head of HR) to request Berkeley World to restrict the processing of that information.
Within one calendar month of receiving the individual’s notice to exercise any of the above rights, Berkeley World will reply to the individual stating either:
- that it has complied with or intends to comply with the request; or
- the reasons why it regards the individual’s notice as unjustified to any extent and the extent, if any, to which it has already complied or intends to comply with the notice.
Berkeley World may monitor staff members by various means including, but not limited to, recording staff member’s activities on CCTV, checking emails, listening to voicemails and monitoring telephone conversations. If this is the case, the company will inform the member of staff that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The staff member will usually be entitled to be given any data that has been collected about him/her. The company will not retain such data for any longer than is necessary.
In exceptional circumstances, the company may use monitoring without informing the staff member in advance. This may be appropriate where there is, or could potentially be, damage caused to Berkeley World by the activity being monitored and where the information cannot be obtained effectively by any non-intrusive means (for example, where a staff member is suspected of stealing property belonging to the company). Such monitoring will take place only with the approval of the Data Protection Officers.
Staff should not transfer personal data outside the EU without first consulting the Data Protection Officers (Director and Head of HR). There are restrictions on international transfers of personal data from the EU to other countries because of the need to ensure adequate safeguards are in place to protect the personal data. If the staff member is unsure of what arrangements have been or need to be put in place to address this requirement, they should contact the Data Protection Officers.
Staff and Berkeley World have an obligation to report actual or potential data protection compliance failures to the Data Protection Officers (Director and Head of HR). This allows the company to:
- investigate the failure and take remedial steps if necessary; and
- make any applicable notifications.
Berkeley World will potentially have duties to notify the regulators and/or the individuals whose data has been compromised and a failure by a staff member to report any compliance breach may put the firm in a breach of its obligations. It is therefore imperative that all staff report any breach, as soon as possible.
Consequences of non-compliance
All staff are under an obligation to ensure that they have regard to the data protection principles (see above) when processing, accessing, using or disposing of personal data and any failure to do so may result in disciplinary action up to and including dismissal. For example, if a member of staff accesses another member of staff’s employment record without the requisite authority, the company will treat this as gross misconduct and instigate its disciplinary procedures.
Taking records off site
Staff must not take personal data relating to another staff member, client or third party off site (whether in electronic or paper format) without prior authorisation from the Data Protection Officers (Director and Head of HR).
Staff may only take records containing personal data off site if there is a legitimate reason for doing so. These reasons might include disciplinary or grievance meetings that cannot be held on site/meetings with occupational health/discussions surrounding the sale of the business or specific monitoring purposes/seeking professional advice. Staff may also take records containing personal data off site for any other legitimate reason given by the Data Protection Officers (Director and Head of HR).
Staff taking records containing personal data off site must ensure that:
- no files are taken away from the office unless strictly necessary for work purposes.
- files must be brought back to the office at the first reasonable opportunity and should not be kept offsite for any longer than is reasonably necessary.
- whilst files are offsite, they are the responsibility of the member of staff who has elected to take them offsite; and
- whilst files are offsite, they must always be kept as secure as possible. Files must not be left unattended when not secured. Files must not be left in vehicles unless strictly necessary.