Snowdonia 360 is a tourist route navigated by a printed map and interactive website developed for Attractions of Snowdonia. Attractions of Snowdonia is committed to maintaining the privacy and security of your personal data.
This Privacy Statement sets out why and how we collect and use your personal data. This statement applies to you if you visit the Snowdonia 360 website or use any of our services including the Snowdonia Pass scheme, if you are a Business Member, if you apply for a job or if you are an employee or contractor of Attractions of Snowdonia.
The rules on processing personal data are governed by the General Data Protection Regulation (GDPR), as it applies in the UK under the Data Protection Act 2018.
Our promise to you is to
- Keep your personal data secure
- Never share your data unless you confirm we can
- Use your data to improve our services to you
- Let you view, update, and delete your data
- Update this statement when there is any change to what data we collect and how we process it
- Personal Data is information relating to an identified or identifiable person, e.g. a person’s name, home address, national insurance number, passport number, date of birth, or private email address.
- A Data Subject is the person whose data is being collected and processed. In this statement “you” or “your” is referring to you as the data subject.
- Sensitive Personal Data specifically includes genetic and biometric data, racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
- Processing means any operation performed on personal data eg. collection, re-organisation, alteration, erasure or deletion.
- A Controller determines why and how personal data is processed.
- A Processor is responsible for processing personal data on behalf of a controller.
- A Third Party is any person or body other than the data subject, controller or processor that is authorised to process personal by the data controller or the processor.
3. WHO ARE WE?
In this statement, the words ‘we’, ‘us’, ‘our’, “Attractions of Snowdonia” or “Snowdonia 360” all refer to Attractions of Snowdonia. Attractions of Snowdonia is a consortium of 30 member attractions and is a not for profit company incorporated in the UK (registration number 07620063). It currently has three employees and is managed by a Board of voluntary Directors who are elected from the 30 members.
Attractions of Snowdonia is a data controller which means we decide on what personal data we collect from you and why and how that data is processed. Our named Data Protection Officer for any enquiries on data matters and this statement is our Membership and Marketing Manager who can be contacted at firstname.lastname@example.org or by calling 01766 810715.
4. WHAT PERSONAL DATA WE COLLECT ABOUT YOU
We may collect your: full name, home address, billing address, personal email, telephone numbers, age, family makeup, financial details, photographs.
You give us this data when you:
- apply for and purchase an annual Snowdonia Pass discount card
- apply for and become a Business Member
- subscribe to our e-newsletter
- communicate with us in person, by phone, email, text, letter, social media post or using a website contact form
- enter our competitions
- participate in social media on our channels
- attend an event at one of our Member locations
- apply for a job, become an employee or contractor with us
In addition, when you use our website we may use log files, cookies and digital analytics (Google) to automatically collect the following information from your visit:
- The Internet protocol (IP) address used to connect your device to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
- Information about your visit including how you found our website, what pages you visited and for how long, what you searched for and where you went to from our website.
This automatically collected information identifies you as a single user but not as an individual named person. We use this information simply to work out how effective our website and services are and to identify any improvements.
Further information about Cookies and Google Analytics and how you can opt out of some Cookies and disable Google Analytics can be found in our Cookies Policy.
5. WHAT WE COLLECT AND DO WITH YOUR PERSONAL DATA
We only use your personal data on relevant lawful grounds as permitted the General Data Protection Regulation (GDPR), as it applies in the UK under the Data Protection Act 2018.
We collect and process personal data from you in the following circumstances:
Snowdonia Pass Holders
We collect your name, email, billing and delivery address in order to send you your Snowdonia Pass.
We hold this data for 24 months, after which time we will delete it if you have not reapplied for a new annual pass.
If you purchase your Snowdonia Pass on our website www.snowdonia360.com, then you enter payment credit or debit details directly into the third party payment system STRIPE and your details will be handled according to their policies.
We collect your name, company name, address, work email, contact phone numbers and financial information in order to process your membership. This information is held securely on our systems and used to provide the services to you as set out in your membership agreement.
Membership and financial details will be retained for seven years to meet HMRC financial regulations.
To receive our newsletter, you provide us with your email, first name and surname and we retain these in a secure database.
We use the third-party supplier Mailchimp to distribute the e-newsletter to you. By agreeing to receive the newsletter, you are agreeing to your data being processed by Mailchimp and to their Privacy Statement with regard to handling Contacts’ data: www.mailchimp.com/legal/privacy/#3._Privacy_for_Contacts
You may opt out from receiving our newsletter at any time by choosing Unsubscribe on any newsletter you have received. If you opt out then we will be notified and your details will be removed from our database. It is your responsibility to opt out if you do not want to receive the newsletter.
Communication in person, by phone, email, text, letter, social media post or using a website contact form
We may collect your name, address, email, and contact phone numbers in order to handle and respond to your enquiry. We will retain these details for a maximum period of 12 months after your last communication with us, after which time your details will be permanently deleted.
When you enter a competition, we usually collect your name and email address. You may also be given the option to receive future email marketing from us via our E-newsletter. We process this data as part of our contract to you on entering and we retain it for 24 months after the competition has closed. You may opt out of receiving the E-newsletter at any time.
Participate in social media on our channels
For your safety and security, you must NEVER include personal data such as your address, phone number, email, or other personal information in a post on our social channels as your comments are visible to all.
Attend an event
If you attend an event then we may ask you for your name, address and contact details in order to send you marketing information via our E-newsletter.
Images in which people can be identified are a form of personal data. We will always ask your permission before we take your photograph or film you at an event and will tell you how we intend to use any images in our marketing. We will always seek written permission of the parent or guardian for a child under 13. If images are not used for the purpose we intended, and within a reasonable timescale, then they will be permanently deleted.
Apply for a job, become an employee or contractor with us
In order to comply with our contractual, statutory, and management obligations and responsibilities, we collect and process personal data, including ‘sensitive’ personal data, from job applicants, employees and contractors with us.
Such data can include, but is not limited to, information relating to health, racial or ethnic origin, religion and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data, without explicit consent.
Our employment contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to: postal address, bank account details, sick pay, leave, maternity pay, pension and emergency contacts.
Our statutory responsibilities are those imposed through law on us as an employer. The data processed to meet statutory responsibilities includes, but is not limited to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.
To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs (HMRC) and Payroll. To fulfil our statutory responsibilities, we are required to give some of an employee’s personal data to government departments e.g. provision of salary and tax data to HMRC.
Personal data of applicants to jobs will be permanently deleted after three months. Employee and contractor records will be retained for six years from the end of employment and thereafter permanently deleted.
6. DISCLOSING AND SHARING YOUR PERSONAL DATA
We do not sell or share your personal information for other organisations to use.
Personal data collected and processed by us may be shared with the following:
- Directors, employees and contractors of Attractions of Snowdonia
- Third party cloud hosting companies for databases and website hosting
- IT support providers to our data network and website
- Third party E-newsletter platform provider
- Payment collection services
7. STORAGE OF PERSONAL INFORMATION
Attractions of Snowdonia is based in the UK. Data you provide to us directly is stored on the Microsoft data centres all of which are located in the UK.
Data that you enter into third-party systems via our website such as the STRIPE payment system may be held outside the UK.
8. YOUR RIGHTS AND YOUR PERSONAL DATA
Unless subject to an exemption under the GDPR, you have the right to:
- be informed about the collection and use of your personal data
- access your personal data by requesting a copy of the data we hold about you
- request that we rectify any personal data we hold or have passed to third parties if it is incorrect
- request erasure where it is no longer necessary for us to hold your personal data
- withdraw consent to the processing at any time, where consent was the lawful basis for processing your personal data
- data portability, i.e. for you to obtain and use your data by requesting its direct transfer to another data controller
- request restriction on any further processing where there is a dispute in relation to the accuracy or processing of your personal data
- object to the processing of personal data where applicable, eg for direct marketing or statistical research.
9. SUBJECT ACCESS REQUESTS AND COMPLAINTS
If you wish to exercise your rights and make a subject access request, and/or have a complaint to make about our handling of your data, please contact the Membership and Marketing Manager at email@example.com.
You will be asked what personal information you want to access, where it is likely to be held and the date range. We will need you to confirm your identity before we accept the request. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it within one month after your request.
You also have the right to contact the Information Commissions Office (ICO) using their help line 0303 123 113 or at www.ico.org.uk.
10. CHANGES TO THIS PRIVACY STATEMENT
We will review and update this Privacy Statement when there are any changes to what personal data we collect, how and why we use your personal data and when there are any new legal requirements. The current version will always be posted on our website.
This privacy statement was written in January 2020.