In this policy, the following expression shall have the following meaning:-

“The Company”

ALL7GROUP Ltd and its subsidiaries, namely

• ALL7 UK Ltd

This Privacy Policy describes how The Company processes personal data in accordance with the Data Protection Act 1998 and other applicable law relating to the General Data Protection regulation from the 25th May 2018.

We are committed to protecting your privacy and take every precaution with your personal information, only ever using it in accordance with the Data Protection Act 1998 and Electronic Communications (2000/58/EC) and the General Data Protection Regulation.

The Company complies with its transparency obligations by providing its clients a Privacy Policy alongside the contract held between ALL7GROUP and its client. The privacy policy sets out:

• that The Company is the processor;
• information collected from/about data subjects, which will be all information required for The Company to process traveller reservation booking requirements to clients as per the contract with those clients;
• the uses of data;
• the circumstances in which data is disclosed to third parties;
• that data will not be used or disclosed for marketing purposes;
• that data is stored on allseven24’s secure servers
• that data subjects have, in relation to their data, the right to/of:
  • access it;
  • request that it be rectified;
  • request its erasure;
  • restrict its processing;
  • object to processing;
  • portability;
  • lodge a complaint with a supervisory body;
• the period for which data will be stored.

The legal basis for processing personal data is that this is necessary for the performance of the contract on the basis of legitimate business purposes which include some or all, of the following:

• Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of the customer;
• To identify and prevent fraud;
• To enhance the security of our networks and information systems.

Whenever we process data for these purposes, we will ensure that we always keep Personal Data rights in the highest regard and take into account all of your data protection rights under any and all current UK legislation.

You have the right to object to this processing at any time. If you wish to do so, please email [email protected]. Please bear in mind that if you object, this may affect our ability to carry out the tasks above which may be of benefit to you.

What types of information do we process?

• the contracts between The Company and our clients;
• the data provided to it by each client;
• Personal Information;
  • Salutation, name, surname, address, company name, contact numbers, email addresses, travel itinerary details, date of birth, passport information, form of payment, airline cards and preferences;
  • Any other information shared with us to assist with travel plans;
  • Call log times and reason codes

What purpose is the personal information used?

• Personal data will normally be part of a travel itinerary and is required to process the reservation and issue relevant tickets and provide other travel related services;
• Enhanced customer service;
• Fulfil customer requests;
• Provide accurate call reporting, data analysis;
• Manage support queries;
• Invoicing purposes

In accordance with the obligations that data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed, The Company does not collect any data which is not necessary for it to fulfil its contractual obligations. It does not collect data for a general or unspecified future use.

The requirement for personal data to be accurate and kept up to date, is dependent on clients notifying The Company of changes to the data which it has previously provided. There are requirements in the relationship with both parties that the data provided to The Company is accurate.  The Company will not be able to tell without notification where information has changed. Upon notification of changes, The Company erases or rectifies data immediately.

Who is the Personal Information shared with?

• Third parties, suppliers, service providers and employees of The Company;
• If necessary: (a) under applicable law including laws outside your country of residence; (b) to comply with legal processes; (c) to respond to requests from public and government authorities including public and government authorities outside your own country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect yours and our own rights, privacy, safety or property; (g) to permit us to pursue available remedies or limit the damages we may sustain.

The Company only allows third party service providers to see personal data for specified purposes and in accordance with The Company instructions.  Any sharing of personal information using third party platforms would be governed by the terms of the third-party platform used.

Storage Limitation

The Company retains personal data for as long as necessary to fulfil the purposes it was collected for including for the purposes of satisfying any legal, accounting or reporting requirements. Please note that on any forms where you provide us with your details, we may specify the period of time that we intend to keep the data according to the specific proposals defined in the form.

We may use your contact details to post out future service updates and offers. You may of opt out of this.  We will retain records after our customer agreement has ended for the following reasons and durations:

• Account and financial records, for 6 years
• Customer service queries, 1 year

Integrity and Confidentiality

We use reasonable organisational, technical and administrative measures to protect Personal Information under our control. Unfortunately, no data transmission over the internet or data storage system can be guaranteed to be 100% secure. Please do not send us sensitive information through e-mail. If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include credit card information in your e-mail correspondence with us.

When Personal Data is processed on behalf of The Company access is limited to those who have a business need to know, Personal Data will be processed in accordance with the instructions of The Company and those who have access are subject to a duty of confidentiality.

The Company has in place internal procedures and policies to deal with any suspected personal data breach and will notify individuals and any applicable regulator of a breach where they are legally required to do so.

All staff are bound by these policies. When The Company employees commence employment, they are given induction training and provided with a handbook and copies of all appropriate policies that will apply to the work they are undertaking. Employees are required to sign their terms and conditions which contain confidentiality obligations and obligations to comply with The Company policies. Employees will be given access to client data that is relevant to them and they will only have access to screens allowing them to make changes or to action items if these are relevant to their role and they have the appropriate authorities. Employees are encouraged to flag up any issues that they become aware of in relation to data. Only authorised contacts at clients may give instructions to The Company staff and receive information from The Company. Employees are required to follow set internal methodology when completing their work and as such minimises any failure to comply with internal policies, but these would be easily identified and dealt with appropriately.

Security

We may need to transfer your information to other group companies, service providers or colleagues in countries outside the European Economic Area (EEA). This may happen if our suppliers, service providers, or customers are based outside the EEA, or if you use or services and products whilst in these countries.  We do our best to ensure a similar degree of security by ensuring that contracts, code of conduct or certification are in place to give your personal data the same protection as that in Europe.

The Company currently has the following measures in place:

• Dedicated project team with responsibilities of key areas of GDPR, closely following the Information Commissioner's Office guidelines;
• Data analysis completed – what data we hold, where it came from and who it is shared with.  This will enable ALL7GROUP to ensure that only personal information required for the service delivery is collected and that such information is properly processed;
• Staff awareness training;
• Secure anti-virus programme;
• Immediate lockdown of all systems and passwords when an employee contract ends;
• Where appropriate, changes to software, technical procedures and processes will be made in support of GDPR obligations;
• Inventories of all equipment;
• Data in transit to and from the Radar application is always over HTTPS, using TLS v1.2 encryption.
• All application data is encrypted at rest by default using encrypted ephemeral storage (typically using an AES-256 block cipher);
• Two factor authorisations;
• Website access controls;
• Email scanning through a filtering service.

Accountability

As is currently required by the Data Protection Act, The Company is registered with the Information Commissioner’s Office (“ICO”) as a data processor. There is a contract in place between The Company’s and its clients documenting allseven24’s obligations.

Breach Management

The Company has a data security breach incident management policy which is based on guidance given by the ICO. This policy applies to both suspected and confirmed incidents. It contains a reporting structure within The Company, naming persons responsible for assessing incidents, including a named individual with overall responsibility for data protection issues, being Phill Spokes. All data security breaches are centrally logged to ensure oversight of the types and frequency of breaches - this, in turn, enables ongoing policy making, changes to systems and training to be given as may be required. In accordance with this policy, The Company does and will continue to comply with its obligations to notify the ICO and data subjects of data security breaches as and when it is required to do so. Where there is a data security breach, ALL7GROUP documents its effects and any remedial action The Company has taken.

Customer’s Obligations

The customer, as Controller, remains solely responsible for the lawfulness of the Personal Data and its documented instructions.

Legal Rights

Under certain circumstances individuals can exercise rights under data protection laws. EU citizens and residents may exercise these rights relating to their personal data, or contact The Company for data protection related questions, by email to [email protected].

For the following rights please make a reference to the following in the request:

• Subject access requests - Right to access – request for access to personal data;
• Rectification of data quality;
• Right to erasure;
• Data portability;
• Right to object – object to processing of personal data for the purpose of analytics;
• Right to information about;
  • The Company third party service providers who process personal data on behalf of The Company;
  • transfers to third countries – information about data transfers outside EEA

Subject Access Requests

The Company will require authentication of your identity and possibly additional information to confirm that the rights that you may have under data protection laws are being exercised correctly. Information will be provided free of charge.  A ‘reasonable fee’ may apply if the request is manifestly unfounded or excessive, particularly if it is repetitive.  Charges will be applied based on the administrative cost of providing the information.

Information will be provided without delay and at least within one calendar month of receiving the request.  This may be extended by a further two months for complex or numerous requests.

Rectification of Data Quality

Individuals have the right to have personal data rectified if it is inaccurate or completed if it is incomplete. Responses will be without delay and at least within one month of receipt of the request.  This may be extended by a further two months for complex or numerous requests.

The Company will regularly review the information we process internally and with our customers to identify when action is required.  Regular reviews of our systems and processes will ensure that the information continues to be adequate for the purposes we are processing it for.

Right to Erasure

• EU citizens and residents have the right to be forgotten and can request the erasure of personal data:
  when it is no longer necessary for the purpose The Company originally collected/processed it for;
• if you have an objection to our reasoning of collecting/processing the data for legitimate interest purposes;
• if The Company were processing and personal data for direct marketing purposes and the customer objects;
• if it was unlawfully processed;
• if it has to be erased in order to comply with a legal obligation; or
• if it is processed for information society services to a child

Responses will be without delay and at least within one month of receipt of the request.  This may be extended by a further two months for complex or numerous requests.

We may refuse to comply with a request for erasure if we are processing the personal data for the following reasons:

• to exercise the right of freedom of expression and information;
• to comply with a legal obligation;
• to perform a public interest task or exercise official authority;
• for archiving purposes in the public interest, scientific research, historical research or statistical purposes;
• to exercise or defence of legal claims;
• for public health purpose in the public interest; or

Data Portability

EU citizens and residents have the right to obtain and reuse their personal data for their purposes across different services.

The right to data portability only applies:

• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and;
• where the processing is carried out by automated means

Responses will be without delay and at least within one month of receipt of the request.  This may be extended by a further two months for complex or numerous requests.

Right to Object

EU citizens and residents have a right to object to the processing of their personal data in certain circumstances including:

• Any processing of information undertaken for the purposes of direct marketing;
• Grounds relating to an individual’s particular situation based on legitimate interests, the performance of a task in the public interest or exercise of official authority

The right to object is not absolute, however The Company will stop processing personal data unless we are able to demonstrate compelling legitimate grounds for the processing, which overrides the interests, rights and freedom of the individual.

Your rights

Although The Company aims to carefully address any request and/or claim from you, as well as carefully process your personal information, you are entitled to file any claim or complaint before the relevant data protection authorities, if the answer provided by The Company does not meet your expectations.