Our GDPR Policy

GDPR Compliance

The General Data Protection Regulation (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.

Primarily addressing the export of personal data outside the EU. The GDPR aims to give control back to citizens over their personal data and to simplify the regulatory environment by unifying the regulation within the EU.

It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.


GetHolidays.co.uk Compliance

GetHolidays.co.uk have been compliant with large parts of the GDPR prior to the regulations coming into place. In those areas where GetHolidays.co.uk is not complaint currently, actions have been taken to address the process and implementation are either underway or completed. More details can be found in the roadmap below.


GDPR Roadmap

Relevant GDPR Article


Actions taken - Completed

Articles 1, 2, 3, 4

General summary & scope

GetHolidays.co.uk have read & understood

Article 5

Principles relating to processing of personal data

GetHolidays.co.uk have made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR.

GetHolidays.co.uk employees who handle personal data of other employees or customers have received training in order to ensure that they handle changes in accordance with GDPR.

Article 6

Lawfulness of processing: the following conditions that must be satisfied for the processing of personal data to be lawful.

  1. Consent from individual
  2. Contract with individual
  3. Compliance with a legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interest

GetHolidays.co.uk has:

  1. Audited the use of personal data to assess what lawful processing grounds it currently relies on and whether they remain valid under the GDPR
  2. Train staff so that they are aware of legal processing grounds.
  3. Begun the process of obtaining renewed consent.

Article 7

New legislation around the consent of the individual for the organisation to hold his/her personal data. Consent must be:

  1. Unbundled
  2. Active opt-in
  3. Granular
  4. Named
  5. Easy to withdraw
  6. Documented

GetHolidays.co.uk has reviewed methods for seeking, obtaining and recording consent to ensure compliance.

Implemented explicit and affirmative consent through check boxes and clear privacy policies.

GetHolidays.co.uk have audited all the actions that users can take, from the signup to account deletion, and ensure that each step complies with new laws of consent.

Article 8

Children’s data consent

GetHolidays.co.uk have clearly defined the requirements in their terms & conditions.

Article 9

Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation.

GetHolidays.co.uk do not collect or process this information and will not do so.

Article 10

Sensitive Personal Data relating to criminal convictions and offences or related security measures.

GetHolidays.co.uk do not collect or process this information and will not do so.

Article 11

Processing which does not require identification

GetHolidays.co.uk will examine every data subject’s request with respect. However in cases where we can prove that the data Subject cannot be identified, data subject's rights and GetHolidays.co.uk's actions will be limited.

Articles 12-14

Privacy Notices must be given at the time that the data is obtained from the subject.

GetHolidays.co.uk have modified their booking process to include clearer links to their privacy policies.

Articles 15-23

Rights of the individual to:

  1. access their information;
  2. have inaccuracies corrected;
  3. have information erased;
  4. prevent direct marketing;
  5. prevent automated decision making and profiling;
  6. data portability.

GetHolidays.co.uk will enable employees and customers to request their personal data processed by the company. Trained personnel will respond to requests within 30 days timeframe. Users will be able to request exclusion from any personalisation.

Article 24

Definition of a Controller

GetHolidays.co.uk acts as a data controller and will comply with the guidelines.

Article 25

Data Protection by design and by default

Several guidelines will be applied during the software development process:

  1. Training
  2. Design - all design decisions will take into account the GDPR
  3. Coding will use approved tools and frameworks
  4. Testing - test whether data protection and security requirements are implemented
  5. Maintenance - GetHolidays.co.uk should be prepared to respond to incidents, personal data breaches, faults and attacks, and be capable of issuing updates, guidelines, and information to users and those affected by the software

Article 28

Definition of a Processor

GetHolidays.co.uk will comply with the legislation when processing data and ensure that any third parties are GDPR compliant

Article 30

Record keeping all personal data processing activities shall be recorded.

Article does not apply to GetHolidays.co.uk as number of employees is less than 250. That said, implementation of the rest of this roadmap should see GetHolidays.co.uk comply with this article.

Article 33-34

Data Breaches

GetHolidays.co.uk will ensure that there are procedures in place to detect, investigate and report on any personal data breaches within 72 hours of becoming aware of it.

Article 35-36

Data protection impact assessment and prior consultation

Not applicable as data processing done by GetHolidays.co.uk is not considered high risk.

Article 37-39

Appointment of DPOs

Does not apply to GetHolidays.co.uk but GetHolidays.co.uk have trained relevant staff in data protection matters

Article 40-43

Codes of conduct & certifications

GetHolidays.co.uk will comply with appropriate Codes of Conducts and Certifications including PCI-DSS

Article 44-50

Cross-border data transfer

As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an "adequate" level of data protection. A current list of "approved countries" is available here.

GetHolidays.co.uk will:

  1. Identify and map all cross-border data flows.
  2. Examine and assess for each of these flows whether (i) the receiving country is an EEA Member State or deemed "adequate", (ii) if not, whether any "appropriate safeguards" have been put in place, and/or (iii) if not, whether any specific derogations apply.
  3. Adhere to approved code of conduct / certification mechanisms.

Article 51-99

Remaining articles give guidance information on:

  1. Independent Supervisory Authorities
  2. Cooperation and Consistency
  3. Remedies, Liability, and Sanctions
  4. Provisions relating to specific data processing situations
  5. Delegated Acts and Implementing Acts
  6. Final provisions

GetHolidays.co.uk have read and understood these guidance articles.


Updated on 30 October 2019