This document records what personal data we process, where it came from and who we share it with. It also describes the lawful basis for us processing that data.
For the purpose of GDPR regulation, ABC Connection is a data controller because we determine how the personal data will be processed. The data processors are the users who enter and use the personal data.
Because we carry out cross-border processing of data, our lead data protection supervisory authority will be the UK Information Commissioner’s Office (ico.org.uk). The Information Commissioner is the UK’s representative on the GDPR Article 29 Working Party which means that they are the person to go to, regarding any issues of personal data security and usage.
Because of the size of our organisation and the minimal set of personal information that we process, ABC Connection does not need to appoint a permanent DPO under the GDPR guidance. However, any issues or questions you have regarding personal information can be raised as a support ticket through our normal helpdesk process.
ABC Connection maintains a Data Breach Response Plan which lays out in detail all the steps we will take in the event of becoming aware of any breach of personal data. It describes how we would report the matter to the Information Commissioners Office and the people involved with the utmost haste and openness, and work together with all the parties involved to investigate and mitigate any damage.
The data was entered by the client company administrator in the Edit User Account page, or by the agent in the Client Users tab of the Client Manager. It is maintained by these and the user themselves.
The data can be seen by the agent users of the client’s agent. Any of their personal details can be passed on to the hotel as directed and dependent on how they have set up the client.
We process the client users’ personal data by gaining their consent at the point of account creation. The system we provide for the clients is an authenticated system requiring a user account and login. We process the minimal amount of personal data to enable users to interact efficiently with the agents who are negotiating bookings on their behalf. Email communications are only used as part of the normal operations of the account. They are not used in any ad-hoc way such as for marketing purposes.
The data was entered in the Client Admin section, or was entered on a one-off basis as part of the Confirmation Document process. In both cases, the information will have been entered by the agent or the agent’s client.
The data can be seen by the agent users of the client’s agent. The confirmation document which is passed onto the hotel or venue also contains a secure link. When the hotel or venue user clicks on this link they will have a one-time access over a secure connection to see the credit card details. This enables them to make the booking against the card.
We process the client’s credit card data because we have a legitimate interest to do so. The client’s role is made easier, and the booking process made simpler by the client allowing their credit card information to be entered, and then used to make each booking. They can also refuse to allow their credit card information to be entered, and instead telephone the details through to the venue themselves to secure the booking.
The data was entered by an agent administrator. It is maintained by the administrator and the user themselves using their ‘Edit User Account’ screen.
The data can be seen fully by other agent users with their company only. A small subset, namely the users name and email, are shared with hotels and venues and with clients when dealing with a booking.
We process the agent users’ personal data in order to fulfil our contract with their organisation. The system we provide for the agents is an authenticated system requiring a user account and login. We process the minimal amount of personal data to enable users to efficiently contact each other and allow their clients and the venues they book to do so too.
The data was usually entered by a venue or group administrator. A small subset, namely the user’s name, email and telephone can also be entered by agent users. The full set of data is maintained by the venue user themselves or by their administrator.
The data can be seen by the venue or group administrator. We only share the subset of data, namely the user’s name, email and telephone, with the agents as it is all they need to make contact. We do not distribute group and venue users’ personal data to any agents other than those attempting to make a booking or claim commission, nor do we pass it on to anyone else.
We process the group and venue users’ personal data by gaining their consent. The system we provide for the groups and venues is an authenticated system requiring a user account and login. We process the minimal amount of personal data to enable users to interact efficiently with the agents who are negotiating bookings with them. Email communications are only to those who have opted-in using the preferences settings in their Contact Details page.
We usually only process their name although this is down to whatever the agent user types into the Guest List screen.
The data was entered by an agent user on the Guest List screen.
The data can be seen by the hotel or venue as well as by other agent users.
We process the personal data of guest list members because we have a legitimate interest to do so. The client communicates the guest list to the venue via the system for a number of reasons. This might be so that the venue can allocate accommodation to named individuals. Or it might be that the venue needs that information for safety or security reasons.
We usually process only the name, but sometimes the email of the original booker and guests, but this depends on which transient data feed is involved.
The data was entered by upstream systems such as the GDS’s where the booking was made.
The data relating to the booker is not needed to process the commission claim so it goes no further. The data relating to the booking guests may be passed on to the venue so that they can confirm which booking it is before agreeing to pay out the commission claim.
We process the personal data of transient accommodation bookers and guests mentioned in commission claims because we have a legitimate interest to do so. The information comes from a file whose format is defined by a third part. We read these files into a database in order to decipher and validate the data structure. Thereafter, the transient accommodation bookers information is not used any further. The guest information may be passed to the venue that fulfilled the booking, so that they can check the names against the booking before agreeing to pay out the commission claim.
19 Berkeley Street