Statement of Intent
The Aturukan Hotel is required to keep and process certain information in accordance with its legal obligations under the General Data Protection Regulation (GDPR) or any such relevant legislation in place at the time. The Aturukan Hotel may, from time to time, be required to share personal information with other organisations. This policy is in place to ensure all staff are aware of their responsibilities and outlines how The Aturukan Hotel complies with the core principles of the GDPR.
Organisational methods for keeping data secure are imperative, and The Aturukan Hotel believes that it is good practice to keep clear, practical policies, backed up by written procedures. This policy complies with the requirements set out in the GDPR.
This policy has due regard to the General Data Protection Regulation (GDPR) and the Information Commissioner’s Office and will be implemented in conjunction with the The Aturukan Hotel
related Data Protection Policy amongst others.
For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier for example an IP address. The GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonym missed data.
Data referred to in the GDPR as ‘special categories of personal data’ (previously termed ‘Sensitive Personal Data’) specifically includes the processing of genetic data, biometric data and data concerning health matters.
Principles of Data Protection
In accordance with the requirements outlined in the GDPR, personal data will be:
The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.
The Aturukan Hotel will implement appropriate technical and organisational measures to demonstrate that data is processed in line with the principles set out in the GDPR or any such relevant legislation in place at the time. The Aturukan Hotel will provide comprehensive, clear and transparent privacy notices to Data Subjects.
Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences. Internal records of processing activities include the following:
The Aturukan Hotel will implement measures that meet the principles of data protection by design and data protection by default, such as:
• Data minimisation
• Allowing individuals to monitor processing
• Continuously creating and improving security features
Where The Aturukan Hotel engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
The Aturukan Hotel advertises with trip providers and social media booking agencies (such as booking.com) which themselves collect personal information. In these circumstances the originating agency (the data controller) then transfers personal data to Hillbrooke Hotels Limited. Further details on this process will be available in the originating agency’s Privacy Statement/Policy. Hillbrooke Hotels Limited, on receiving personal data from the agency, becomes the data controller in order to process the data for a scheduled event or booking.
Data Compliance Director (DCD)
The DCD is responsible for:
Managing Director, is appointed to the role of DCD and has professional experience and knowledge of data protection law, particularly that in relation to The Aturukan Hotel. Sufficient resources are provided to the DCD to enable them to meet their GDPR obligations.
The legal basis for processing data will, in all circumstances, be identified and documented prior to data being processed. Under the GDPR, data will be lawfully processed under the following conditions:
• The consent of the data subject has been obtained.
• Processing is necessary for:
• Compliance with a legal obligation.
• The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• For the performance of a contract with the data subject or to take steps to enter into a contract.
• Protecting the vital interests of a data subject or another person.
• For the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Special Category data will only be processed under the following conditions:
Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes. Consent will only be accepted where it is freely given, specific, informed and an unambiguous indication of the individual’s wishes. Where consent is given, a record will be kept documenting how and when consent was given.
The Aturukan Hotel ensures that consent mechanisms meet the standards of the GDPR or any such relevant legislation in place at the time. Where the standard of consent cannot be met, an alternative legal basis for processing the data must be found, or the processing must cease. Consent previously accepted will be reviewed to ensure it meets the standards of the GDPR.
Consent can be withdrawn by the individual at any time. The consent of parents will be sought prior to the processing of a child’s data.
Right to be Informed
The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.
In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:
Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided.
Where data is not obtained directly from the data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided.
For data obtained directly from the data subject, this information will be supplied at the time the data is obtained. In relation to data that is not obtained directly from the data subject, this information will be supplied within one month of having obtained the data.
Right of Access
Individuals have the right to obtain confirmation that their data is being processed. Individuals have the right to submit a data subject access request (DSAR) to gain access to their personal data in order to verify the lawfulness of the processing.
The Aturukan Hotel will verify the identity of the person making the request before any information is supplied. A copy of the information will be supplied to the individual free of charge. However, The Aturukan Hotel may impose a ‘reasonable fee’ to comply with requests for further copies of the same information. Where a SAR has been made electronically, the information will be provided in a commonly used electronic format.
Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged. All fees will be based on the administrative cost of providing the information.
All requests will be responded to without delay and, at the latest, within one month of receipt.
In the event of numerous or complex requests, the period of compliance will be extended by a further two months. The individual will be informed of this extension, and will receive an explanation of why the extension is necessary, within one month of the receipt of the request.
Where a request is manifestly unfounded or excessive, The Aturukan Hotel holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal.
In the event that a large quantity of information is being processed about an individual, The Aturukan Hotel will ask the individual to specify the information the request is in relation to.
Right to Rectification
Individuals are entitled to have any inaccurate or incomplete personal data rectified. Where the personal data in question has been disclosed to third parties, The Aturukan Hotel will inform them of the rectification where possible. Where appropriate, The Aturukan Hotel will inform the individual about the third parties that the data has been disclosed to.
Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex. Where no action is being taken in response to a request for rectification, The Aturukan Hotel will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
Right to Erasure
Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have the right to erasure in the following circumstances:
The Aturukan Hotel has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request.
Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Where personal data has been made public within an online environment, The Aturukan Hotel will inform other organisations who process the personal data to erase links to and copies of the personal data in question.
Right to Restrict Processing
Individuals have the right to block or suppress The Aturukan Hotel processing of personal data. In the event that processing is restricted, The Aturukan Hotel will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.
The Aturukan Hotel will restrict the processing of personal data in the following circumstances:
If the personal data in question has been disclosed to third parties, The Aturukan Hotel will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. The Aturukan Hotel will inform individuals when a restriction on processing has been lifted.
Right to Data Portability
Individuals has the right to obtain and reuse their personal data for their own purposes across different services. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability. The right to data portability only applies in the following cases:
Personal data will be provided in a structured, commonly used and machine-readable form.
The Aturukan Hotel will provide the information free of charge. Where feasible, data will be transmitted directly to another organisation at the request of the individual.
The Aturukan Hotel is not required to adopt or maintain processing systems which are technically compatible with other organisations. In the event that the personal data concerns more than one individual, The Aturukan Hotel will consider whether providing the information would prejudice the rights of any other individual.
The Aturukan Hotel will respond to any requests for portability within one month. Where the request is complex, or a number of requests have been received, the timeframe can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request.
Where no action is being taken in response to a request, The Aturukan Hotel will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
Right to Object
The Aturukan Hotel will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information. Individuals have the right to object to the following:
Where personal data is processed for the performance of a legal task or legitimate interests:
Where personal data is processed for direct marketing purposes:
Where personal data is processed for research purposes:
Where the processing activity is outlined above, but is carried out online, the The Aturukan Hotel will offer a method for individuals to object online.
Privacy by Design and Privacy Impact Assessments
The Aturukan Hotel will act in accordance with the GDPR by adopting a privacy by design approach and implementing technical and organisational measures which demonstrate how The Aturukan Hotel has considered and integrated data protection into processing activities.
Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with The Aturukan Hotel data protection obligations and meeting individuals’ expectations of privacy. DPIAs will allow The Aturukan Hotel to identify and resolve problems at an early stage, thus reducing associated costs and preventing damage from being caused to The Aturukan Hotel reputation which might otherwise occur.
A DPIA will be used when using new technologies or when the processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA will be used for more than one project, where necessary. High risk processing includes, but is not limited to, the following:
The Aturukan Hotel will ensures that all DPIAs include the following information:
Where a DPIA indicates high risk data processing, The Aturukan Hotel will consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The Managing Director will ensure that all staff are made aware of, and understand, what constitutes a data breach as part of continuous development training.
Where a breach is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed.
All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of The Aturukan Hotel becoming aware of it.
The risk of the breach having a detrimental effect on the individual, and the need to notify the relevant supervisory authority, will be assessed on a case-by-case basis. In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, The Aturukan Hotel will notify those concerned directly.
A ‘high risk’ breach means that the threshold for notifying the individual is higher than that for notifying the relevant supervisory authority. In the event that a breach is sufficiently serious, the public will be notified without undue delay.
Effective and robust breach detection, investigation and internal reporting procedures are in place at the The Aturukan Hotel, which facilitate decision-making in relation to whether the relevant supervisory authority or the public need to be notified. Within a breach notification, the following information will be outlined:
Failure to report a breach when required to do so will result in a fine, as well as a fine for the breach itself.
The Aturukan Hotel carries out the following in regard to security of data:
The Aturukan Hotel takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action.
Publication of Information
The Aturukan Hotel will not publish any personal information, including photos, on its website without the permission of the affected individual. When uploading information to The Aturukan Hotel website, staff are considerate of any metadata or deletions which could be accessed in documents and images on the site.
CCTV, Photography and Video Images
The Aturukan Hotel uses CCTV on its premises and understands that recording images of identifiable individuals constitutes as processing personal information. If CCTV is used it will be done in line with data protection principles. The Aturukan Hotel will notify all staff and visitors of the purpose for collecting CCTV images via notice boards, letters and email and any retention rules on such data.
The Aturukan Hotel will always indicate its intentions for taking photographs or video of individuals and will retrieve permission from individuals before publishing them. If The Aturukan Hotel wishes to use images/video footage of individuals in a publication, such as on The Aturukan Hotel website, or recordings of events, written permission will be sought for the particular usage from the individual.
Images and videos captured by individuals for recreational/personal purposes are exempt from the GDPR.
Data will not be kept for longer than is necessary. Unrequired data will be deleted as soon as practicable. Some records relating to former employees of The Aturukan Hotel may be kept for an extended period for legal reasons, but also to enable the provision of references. Paper documents will be shredded or pulped, and electronic memories scrubbed clean or destroyed, once the data should no longer be retained.
The Aturukan Hotel
P.O Box 2960-30200,
Kapenguria Road, Kitale Kenya
Tel.: (+254) 718 880111