The General Data Protection Regulation (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.
Primarily addressing the export of personal data outside the EU. The GDPR aims to give control back to citizens over their personal data and to simplify the regulatory environment by unifying the regulation within the EU.
It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.
GetHolidays.co.uk have been compliant with large parts of the GDPR prior to the regulations coming into place. In those areas where GetHolidays.co.uk is not complaint currently, actions have been taken to address the process and implementation are either underway or completed. More details can be found in the roadmap below.
Relevant GDPR Article
Summary
Actions taken - Completed
Articles 1, 2, 3, 4
General summary & scope
GetHolidays.co.uk have read & understood
Article 5
Principles relating to processing of personal data
GetHolidays.co.uk have made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR.
GetHolidays.co.uk employees who handle personal data of other employees or customers have received training in order to ensure that they handle changes in accordance with GDPR.
Article 6
Lawfulness of processing: the following conditions that must be satisfied for the processing of personal data to be lawful.
GetHolidays.co.uk has:
Article 7
New legislation around the consent of the individual for the organisation to hold his/her personal data. Consent must be:
GetHolidays.co.uk has reviewed methods for seeking, obtaining and recording consent to ensure compliance.
Implemented explicit and affirmative consent through check boxes and clear privacy policies.
GetHolidays.co.uk have audited all the actions that users can take, from the signup to account deletion, and ensure that each step complies with new laws of consent.
Article 8
Children’s data consent
GetHolidays.co.uk have clearly defined the requirements in their terms & conditions.
Article 9
Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation.
GetHolidays.co.uk do not collect or process this information and will not do so.
Article 10
Sensitive Personal Data relating to criminal convictions and offences or related security measures.
Article 11
Processing which does not require identification
GetHolidays.co.uk will examine every data subject’s request with respect. However in cases where we can prove that the data Subject cannot be identified, data subject's rights and GetHolidays.co.uk's actions will be limited.
Articles 12-14
Privacy Notices must be given at the time that the data is obtained from the subject.
GetHolidays.co.uk have modified their booking process to include clearer links to their privacy policies.
Articles 15-23
Rights of the individual to:
GetHolidays.co.uk will enable employees and customers to request their personal data processed by the company. Trained personnel will respond to requests within 30 days timeframe. Users will be able to request exclusion from any personalisation.
Article 24
Definition of a Controller
GetHolidays.co.uk acts as a data controller and will comply with the guidelines.
Article 25
Data Protection by design and by default
Several guidelines will be applied during the software development process:
Article 28
Definition of a Processor
GetHolidays.co.uk will comply with the legislation when processing data and ensure that any third parties are GDPR compliant
Article 30
Record keeping all personal data processing activities shall be recorded.
Article does not apply to GetHolidays.co.uk as number of employees is less than 250. That said, implementation of the rest of this roadmap should see GetHolidays.co.uk comply with this article.
Article 33-34
Data Breaches
GetHolidays.co.uk will ensure that there are procedures in place to detect, investigate and report on any personal data breaches within 72 hours of becoming aware of it.
Article 35-36
Data protection impact assessment and prior consultation
Not applicable as data processing done by GetHolidays.co.uk is not considered high risk.
Article 37-39
Appointment of DPOs
Does not apply to GetHolidays.co.uk but GetHolidays.co.uk have trained relevant staff in data protection matters
Article 40-43
Codes of conduct & certifications
GetHolidays.co.uk will comply with appropriate Codes of Conducts and Certifications including PCI-DSS
Article 44-50
Cross-border data transfer
As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an "adequate" level of data protection. A current list of "approved countries" is available here.
GetHolidays.co.uk will:
Article 51-99
Remaining articles give guidance information on:
GetHolidays.co.uk have read and understood these guidance articles.
Updated on 30 October 2019