This document aims to explore the appropriateness of the legal basis of 'Legitimate Interest' for the processing of personal data by The Downcliffe House Hotel with respect to the GDPR and the rights of the individuals whose data is processed and stored by the Business. In this document, The Downcliffe House Hotel may be referred to as The Business.
About The Downcliffe House Hotel
The Downcliffe House Hotel is is an established business which has worked hard to establish a highly regarded and reputable business. The Downcliffe House Hotel is high quality gastro pub serving directly with the public. The Business is determined to continue to build their business and would like to develop further quality employment in the future. The Downcliffe House Hotel aspires to be a fair, transparent and ethical business both towards its employees and towards it customers;
Why does The Downcliffe House Hotel need to process personal data?
There are three main areas of data processing that the Business undertake, these are:
- Employment data processing (Data Controller)
- Administrative and commercial data processing (Data Controller)
- Business development and marketing data processing and (Data Controller)
Taking each of these areas in turn, this document aims to explore:
- The objectives of data processing
- The relevance and importance of data processing to the business
- The impact on the individuals whose data is processed
- The expectation of the individual that their data would be processed and
- The rights of the individual whose data is processed
Employment data processing (Data Controller)
The Downcliffe House Hotel process employees' data for legitimate and common business purposes, in situations which are not necessary for the performance of employment contract, but are nevertheless customary, or necessary for operational, administrative, HR and recruitment purposes and to otherwise manage employment relationship and interaction between employees.
Specific examples are:
- Background checks and security vetting in recruitment and HR functions
- Office access and operations
- Disaster and emergency management tools and apps
- Internal directories and other business cooperation and sharing tools.
- Business conduct and ethics reporting lines
- Compliance with internal policies, accountability and governance requirements and corporate investigations
- Call recording and monitoring for call centre employees' training and development purposes
- Employee retention programs
- Workforce and headcount management, forecasts and planning
- Professional learning and development administration
- Travel administration
- Time recording and reporting
- Processing of family members' data in the context of HR records - next of kin, emergency contact, benefits and insurance, etc.
- Additional and specific background checks required by particular customers in respect of processors' employees having access to customers' systems and premises
- Defending claims - sharing CCTV images from premises with insurers when required for processing, investigating or defending claims due to incidents that have occurred on our premises
- Intra-corporations hiring for internal operations.
The argument here is that the business has a legitimate reason for processing employees data to undertake its role as employer and to safeguard its customers during its role as a processor. The data processed is typical employee information and the employee would fully expect The Business to process this data.
Administrative and commercial data processing (Data Controller)
The Downcliffe House Hotel processes supplier and customer' data for legitimate and common business purposes, in situations which are not necessary for the performance of the business, but are nevertheless customary, or necessary for operational and administrative purposes and to otherwise manage relationship and interaction between The Business and its suppliers and customers.
Specific examples are:
- Develop or operate financial/credit/conduct and risk records
- Internal analysis of customers - plan strategy and growth
- Reporting and management information
- Back-office operations
- Monitoring physical access to offices, visitors and CCTV operations in reception and any other restricted areas
- Corporate reorganisations
- Business intelligence
- Managing third party relationships (vendors, suppliers, media, business partners)
- Processing identifiable data for the sole purpose of anonymising/de-identifying/re-identifying it for the purposes of using the anonymised data for other purposes (product improvement, analytics, etc.)
The argument here is that the Business has a legitimate reason for processing supplier and customer data to undertake common business purposes. The data processed is not considered to be sensitive according to the guidelines of 'Special Category Data' and the supplier or customer would fully expect The Business to process their data.
Business development and marketing data processing (Data Controller)
Compliance with GDPR will work to enhance the reputation of The Downcliffe House Hotel. The Downcliffe House Hotel processes supplier and customer data for legitimate and common business purposes, including communications and marketing, processing certain 'low risk' personal data to gather market intelligence, promote products and services, as well as communicate news and offers to its customers.
Specific examples are:
- Discretionary service interactions - customers are identified in order for them to receive communications relating to how they use and operate the data controllers' product
- Personalised service and communications
- Direct marketing - of the same, or similar, or related products and services; including also sharing and marketing within a unified corporate group and brand;
- Targeted advertising
- Analytics and profiling for business intelligence - to create aggregate trend reports; find out how customers arrive at a website; how they use apps; the responses to a marketing campaign; what are the most effective marketing channels and messages; etc.
- Ad performance and conversion tracking after a click
- Audience measurement - measuring audiovisual audiences for specific markets
- Mapping of publicly available information of professional nature to develop database of qualified professionals/experts in relevant field for the purpose of joining advisory boards, speaking engagement and otherwise engaging with the Business
- Primarily B2C marketing of news and offers.
The argument here is that any individual that has provided their email details, has done so, fully expecting to receive mailshot marketing and would naturally expect The Downcliffe House Hotel to store their data, and to make use of it - these data subjects are naturally a 'legitimate interest' to The Downcliffe House Hotel. The data processed is not considered to be sensitive according to the guidelines of 'Special Category Data' and the data subject would fully expect The Business to process their data.
The rights of the individual whose data is processed
As alluded to above, The Downcliffe House Hotel is a Business that has worked hard to establish itself as a quality business, with a strong reputation. The Downcliffe House Hotel is determined to be compliant with respect to the GDPR, data capture, processing, security and the rights of the individual and it has a very clear ambition to be compliant by 25th of May 2018.
The Downcliffe House Hotel own website will capture data with consent permissions in accordance with the GDPR. The Business will process non sensitive data such as contact name and email address and business phone number of contacts. Email marketing will be the preferred approach as this is particularly cost effective, and any data processed will not be sensitive, as such will not require special protection under the GDPR.
The Downcliffe House Hotel will not share its database with any other business. The Downcliffe House Hotel may need to make use of third party data processors in order to fulfil their marketing challenge; on these occasions, a contract will be in place between The Downcliffe House Hotel (the data controller) and the third party data processor - only GDPR compliant third party data processors will be used to provide these services. The contract, which is a requirement of GDPR will ensure that both parties understand their responsibilities and liabilities.
Data may need to be shared with the authorities such as the ICO during an IT or Cyber security investigation. This may be required under the GDPR following a breach of security. Another example of data sharing may be if the authorities need to investigate a subscribers details during an anti-fraud or criminal investigation.
Security measures & and online safeguards
This section will focus on the security measures that The Downcliffe House Hotel has in place for the hosting and administration of its own website downcliffehouse.co.uk. The website makes use of a Content Management System for data capture and subscription management via downcliffehouse.co.uk/mail/ The data is contained in a main database, which is hosted online. The Downcliffe House Hotel's data capture portal utilises an array of security measures from server through to website.
Privacy impact & risk mitigation
The Downcliffe House Hotel has, and will always look to secure its hard earned reputation throughout any marketing campaign - consequently it is very careful to consider the relevance of its marketing to a data subject. The Downcliffe House Hotel takes the position that the quality and relevance of a data subject is crucial, but equally the Business feels that every effort should be made to allow the data subject to easily act to assert their right to privacy.
Data Controllers have obligations under GDPR to keep good records of personal data and processing activities. With this in mind, The Downcliffe House Hotel have implemented processes, which work to establish transparency as well as to protect the data subjects rights according to GDPR guidance; these processes include the following:
- Routine data consent refresh every 6 months - All data subjects will be emailed to confirm that they are happy to remain subscribed to the Business's News & Events list - the email will provide clear access to:
- Details relating to the data controller (The Downcliffe House Hotel)
- The legal basis used by the Business for processing data
- How the Business may use the data
- What data is processed by The Downcliffe House Hotel (non sensitive)
- A Subscription Management page
- Right to withdraw consent
- Unsubscribing from all lists
- Contact details about the controller's Data Protection Officer
- Link to a supervisory authority to lodge a complaint against The Downcliffe House Hotel
- Information relating to 3rd party data processors
- Information relating to sharing of data
- Information relating to security of and storage of data
- Information relating to retention of data
- Information relating to the right to erasure
- Record keeping of the activities relating to the way that the Business processes an individual's data
- How and when data was collected
- How and when data was used
- When the data subjects' consent was refreshed - consequence of the refresh
- Record keeping of any actions taken by the subject following any communication from the Business
- Opens, clicks, unsubscribes
- Correspondence with the email@example.com
- How and when does a contact unsubscribe
- Unsubscribe link from Marketing email
- Subscriptions Management page unsubscribes (directly via downcliffehouse.co.uk)
- Verbal notice
- Responses to any complaint relating to information/rights that we receive, clearly stating how we have processed the individual's personal information and explaining how the Business will put right anything that's gone wrong
- Most of the record keeping referred to above is carried out automatically. Subscription and marketing activities are handled by the website, so access to records is relatively straightforward - this also means that the Business's master database is dynamic - as individuals subscribe or unsubscribe or as data is added manually, the master database is always up to date. The beauty of this approach is that version control is always accurate, minimising irritation of data subjects once unsubscribed.
Contact Form data
If a user subscribes to the Mailing list, then the user is positively opting in to receive the News & Offers emails. Any data captured or recorded is kept to a minimum, ie. name, email and telephone number, this information is not sensitive. Data subjects will only receive the News & Events email, if they have opted in. The Business make it very easy for a data subject to manage their data via a Subscriptions web page and any inconvenience felt by the data subject following a marketing communication (email) is easily avoided in the future simply by following the unsubscribe link. Once again, if the data subject does feel that the Business's use of their data is intrusive, it is very easy for the data subject to unsubscribe from the Business's marketing.
Summary of the Business's reliance on the 'Legitimate Interest' legal basis
The Downcliffe House Hotel is a well established business that takes its reputation very seriously. The Business is respected and wishes to embrace the ethos of GDPR, further establishing its credibility with compliance and transparency. The Business does need to be progressive and email marketing is seen as a cost effective form of profile raising. On balance our judgement is that the Business takes its data responsibilities very seriously and markets its services sensitively to an audience that has shown to be of Legitimate Interest. The business's website uses an approach which records data in a compliant manner and only if consent is provided. Data subjects have good access to their subscription data - making the removal of their data from a marketing list very straightforward. All data subjects will be asked periodically to unsubscribe if they feel that The Downcliffe House Hotel News & Offers notifications are no longer appropriate.