GDPR Statement

Review of GDPR 2018 impacts and compliance – The House of Bread (Cottages & B&B)

Change in the Law

We have reviewed our data use and storage in our business based on our understanding of the changes in Data Protection law on GDPR applicable from May 2018. The statements below represent our findings as a result of that review.

What data do we hold?

By Law we are required (by our Local Authority) to have the details of those who are booked to stay in our cottages. Therefore, we store information provided to us/required by us of those booking our cottages for self-catering/B&B on a Booking Acknowledgement form (a word document). This is compiled & sent to guests to confirm the details of their booking. The information on the Booking Acknowledgement Form includes the following:

  • Lead booking contact name
  • Contact telephone number(s)
  • Email address
  • Postal address
  • Details of the booking including the dates, room set up required, likely ETA, things we need to know regarding any food allergies/intolerances (for B&B only), any pets accompanying and the tariff payable

We also have guests’ email addresses/mobile numbers in our email/mobile message records.

We do not take card payments through our website so we do not store bank card details. The majority of our accommodation payments are paid directly into our bank account, through our card payment machine in person, by cheque or in cash.

On occasion, we do card details over the phone to put through our card machine but in this case they are hand written and destroyed immediately once the payment is complete.

Limited payment data is stored by the business’s Paypal card payments system within our Paypal account although this is only transaction data and no names and addresses and only partial card details are retained. Whilst the Paypal system does often supply a contact email/mobile number within the transaction to send a receipt, these details are not available to us once the transaction is complete.

How do we store the data we hold?

All accommodation Booking Acknowledgement Forms are kept on our private computer as part of our business records and the data on them is not processed or used for marketing purposes or any other purposes by ourselves or any third party.

We also have guests’ email addresses/mobile numbers in our email/mobile message records.

How do we use the data we hold?

The data we hold is purely used to contact guests about their stay prior to their visit or after they have departed as a courtesy to say thank you for staying with us or in relation to damages or items left behind.

We do not contact guests (past, present or future) with any information regarding any promotions or future events at The House of Bread. All promotional marketing of this nature is undertaken via our ‘Latest News’ on our website, on our Facebook page, Twitter, WVFDTA website, press releases, printed materials and advertising.

The House of Bread Facebook page is used to update those who have indicated they wish to be ‘friends’ of the business. This is subject to the normal security protocols of Facebook, contains no personal information and people can ‘unfriend’ at any point.

What will we do if you wish to change your data record or have it removed?

We do not proactively use data held to contact guests (past, present or future) so in the case where guests’ contact details have changed then following an inbound communication from them in relation to a new booking, the new contact details would be used in relation to that booking.

In terms of access, we have stated here what data we hold on guests, why we hold it and what it is used for.

In terms of personal data removal, should guests wish us to remove their personal data held then the following would happen. We would delete all emails/mobile messages in our records relating to their email address/mobile number and strip their postal address, email address and phone numbers from the Booking Acknowledgement Form stored on our computer.

In terms of any messages/communications/reviews etc left by guests on Google, TripAdvisor, Facebook or any other third party platform then we would expect guests to manage and remove those as they saw fit, although we do feature some on our website and if we were asked to remove these then we would.

We would undertake this within a month of receiving the request (to allow for delay if we are on holiday) and we would then confirm the removal of data (and then destroy that communication).

Data Security

As our business is run by 2 people who are a married couple and they are the only people who have access to the data we hold, our assessment of the risk of a breach is that it is highly remote. We do not anticipate any security breaches.

Conclusion

We do not believe that the way we store and use the data we hold provides a security risk or falls within the scope of the changed data protection legislation in GDPR from May 2018.