at Atholl Palace Lodges
INTRODUCTION AND SCOPE
Findlater Hotels Limited is the legal entity for the Castle Collection, which is a family-owned and family run hotel group with six properties located in Ireland, Scotland and Wales.
Processing personal data in a secure, fair, and transparent way is extremely important to us . We know that your privacy is important to you. This notice explains how we collect and use your information, who we share it with and your legal rights.
This policy applies to our use of your information in connection with products and services, and all our related website, domains, and apps that may be accessed by our customers, partners and employees (collectively the “Services”).
WHO WE ARE
Findlater Hotels Limited (“Findlater Hotels Limited”, “Castle Collection”, “The Castle Hotel”, “Ballina Manor Hotel”, “Fishers Hotel”, “Atholl Palace”, “Atholl Lodges”, “The Beaches Hotel”, “Scotland’s Spa Hotel”, “we”, “us”, or “our”) is the provider of the Services and is data controller for your information.
Findlater Hotels Limited is a private company limited by shares duly incorporated under the laws of Ireland, having company registration number 452422 and its registered office at 3-4 Gardiner Row, Dublin 1, D01R640, Ireland.
WHO THIS POLICY APPLIES TO
We collect and process information relating to individuals using the Services including customers, employees, partners, and others.
If you are an employee, supplier or partner, please also check the contracts between us: they may contain further details on how we collect and process your data.
INFORMATION WE COLLECT AND HOW WE GET IT
In the course of providing the Services, we collect or receive information in different ways and relating to various groups of individuals, including:
We collect and use information relating to you. This information may include information relating to your name, address, phone number, email address and IP address. We will also collect payment information (debit or credit card details).
• Employees / Third Party Contractors
We collect and use information relating to you. This information may include your name, job title, professional details, medical history, employment history, training records, email address, contact number, PPS number and bank account details.
We collect and use information relating to you. This information may include your name, job title, email address, telephone number, company name, and address. We may also collect bank account details.
If you visit any of our websites or use our apps, we will collect certain information relating to you. Generally, unless you submit information to us, such as via an online form, telephone call, email or booking platform, we only collect technical and device-related information from your use of our website and apps.
HOW WE USE THIS INFORMATION
We use this information for the purposes described below.
• Providing the Services:
We process your information as necessary to provide the Services requested. For example, we collect information from you in order to provide the Services or book accommodation. We also store this information on our platform so that we can access your booking information. We also may send you booking confirmation or promotional information by email.
Lawful basis: Contract
• Account set up and payment:
We process your information in order to set up a profile for you on our systems and as part of our administrative, financial and operational processes, such as processing orders, taking payment, issuing invoices, etc. where you pay for the Service directly or we engage with our suppliers.
Lawful basis: Contract
• Service improvement and development:
We process your information in order to improve our Services and for business planning purposes. For example, we may process information about how you use our Services in order to troubleshoot technical issues, predict service level demands and understand the features of the Services that are most popular. We also process your information in order to develop new services. As part of our work with our commercial partners, we may share anonymised data that does not identify you but which reveal trends, patterns or other information about how we provide the Services that is useful to our commercial partners. We may send you out feedback forms to complete post utilising our services by email.
Lawful bases: Contract & legitimate interests
• Safety and security:
We process your information as necessary to ensure we offer safe and secure Services, including to detect and prevent fraudulent and other illegal behaviour.
Lawful bases: Contract & legitimate interests
• Legal and regulatory:
We process your information as required (a) for compliance with our legal and regulatory obligations (b) to detect, investigate, prevent, and address fraud and other illegal activity, security, or technical issues; (c) to protect our rights, property, or safety; (d) to enforce any contracts we have with you; (e) to prevent physical injury or other harm to any person or entity, including you and members of the public. In addition, we may be legally required to share information with public bodies e.g. Revenue, HMRC, Police, An Garda Siochana, etc.
Lawful basis: Legitimate interests
• Marketing and Advertising (with your consent)
We may send you updates, invites and marketing materials relating to the Services. If we do so, we will also collect information on your interaction with such communications. We may also collect information for analytics, displaying content and interaction with external social networks and platforms, geolocation and RSS feed management, and remarketing and behavioural targeting.
Lawful basis: Contract and consent
OUR LEGAL BASES
In order to collect, use, share, and otherwise process your information for the purposes described in this policy, we rely on a number of legal bases, some of which are mentioned above, including where:
• necessary to perform a contract we have with you, and to provide the Services
• you have consented to the processing (in which case you may withdraw your consent at any time
• necessary for us to comply with a legal obligation
• necessary to protect your vital interests, or those of others
• necessary in the public interest
• necessary for the purposes of Findlater Hotels Limited or a third party’s legitimate interests, for example for marketing, improving or developing the Services and keeping the Services safe and secure, provided that those interests are not overridden by your interests or fundamental rights and freedoms
SHARING YOUR INFORMATION
In the course of providing the Services, we share information with various third parties such relevant government departments and bodies (including Revenue / HMRC), our service providers or regulators (where legally required).
We do this based upon the legal bases and exceptions referenced in this policy for the following purposes.
• Providing the Services:
If you are a customer, we may share the information provided by you with our service providers in order to provide the Services e.g. accommodation booking, payment processing, etc.
• Keeping our Services safe and secure:
We use your information in certain instances as necessary to pursue our and your legitimate interests of keeping some of our Services, such as our domains, websites, apps, offices and events, safe and secure. For example, we collect IP addresses and process log files to ensure our website and apps are not subject to fraudulent access.
• Legal and safety reasons:
We may share your information with law enforcement, regulators and others if we have a good-faith belief that it is reasonably necessary to (a) respond, based on applicable law, to a legal request (e.g., a subpoena, search warrant, court order, or other request from government or law enforcement); (b) detect, investigate, prevent, and address fraud and other illegal activity, security, or technical issues; (c) protect our rights, property, or safety; (d) enforce any contracts we have with you; (e) prevent physical injury or other harm to any person or entity, including you and members of the public; (f) for regulatory compliance and investigations.
• Service providers and professional advisers:
We may share your personal information to help us provide our services and communicate with you. Categories of service providers include IT software, hosting providers, and records-storage companies. We may also share your personal information where we need advice and support from our professional advisers, such as accountants, lawyers and insurance providers. Where such third parties are processors, these third parties are contractually required to use it only to provide their service to us and are contractually barred from using it for their own purposes.
• Business re-organisation:
In instances where our business is subject to a re-organisation, such as a merger or acquisition of some or all of its assets, we may, in accordance with our legitimate interests, need to share information in the course of the transaction. In such circumstances, your information may be disclosed, where permitted by applicable law, in connection with a corporate restructuring, sale, or assignment of assets, merger, or other changes of control or financial status of Findlater Hotels Limited.
We process the Data in a lawful and proper manner and take appropriate security measures to prevent unauthorised access, disclosure, modification or unauthorised destruction of the Data. Processing is carried out using computers and / or telematic means, with technical and organisational methods, and logics strictly related to the stated purposes.
In some cases, access to the Data may be available to external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies).
The Data is processed at our headquarters unless stated otherwise. Our headquarters is located at Findlater Hotels Limited, 3-4 Gardiner Row, Dublin 1, D01R640, Ireland.
In certain cases, we may need to transfer your information to recipients outside the European Economic Area (“EEA”), such as where it is necessary to provide the Services.
Where we transfer your information, we do so in accordance with EU data protection law. We only transfer personal information to these countries when it is necessary for the services we provide you, or it is necessary for the establishment, exercise or defence of legal claims or subject to safeguards that assure the protection of your information.
When Findlater Hotels Limited engages in such transfers of personal information, it relies on i) Adequacy Decisions as adopted by European Commission on the basis of Article 45 of Regulation (EU) 2016/679 (GDPR), or ii) Standard Contractual Clauses issued by the European Commission. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. Findlater Hotels Limited also monitors the circumstances surrounding such transfers in order to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR.
Following the Court of Justice of the European Union’s invalidation of the EU-US Privacy Shield Framework in Case C-311/18, Findlater Hotels Limited will no longer rely on the EU-US Privacy Shield as a mechanism of international data transfer until further notice. Findlater Hotels Limited will however remain committed to maintaining its self-certification under the EU-US Privacy Shield Principles and respect its principles, as an additional measure of protection of its users’ privacy, until further notice.
Please note that the privacy protections in some of these countries may not be the same as in your home country. We will only transfer information as permitted by law.
For further information, including obtaining a copy of the documents used to protect your information, please contact us on firstname.lastname@example.org.
We may retain your information for as long as necessary in light of the purposes set out in this notice, including for the purposes of satisfying any legal, accounting, or reporting requirements and, where required for Findlater Hotels Limited to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. For example, we have specific legal obligations to retain personal information in accordance with our statutory requirements.
ITEM TYPE DURATION TIME
Customer booking 2 years
Employee application form Duration of employment
Employee references received 1 year
Payroll and tax information 6 years
Employee sickness record 3 years
Employee annual leave record 2 years
Employee unpaid leave / special leave records 3 years
Annual Performance Development Review 5 years
Employee records relating to promotion / transfer / training / disciplinary 1 year from termination
Employee references given / information to enable provision of a reference 5 years from reference / termination
Employee summary of record of service 10 years from termination
Accidents / injuries at work records 12 years
Standard Operating Procedures 15 years after superseded
Order / delivery notes Current financial year plus 1 year
Equipment / instruments / maintenance logs / records of service inspections Lifetime of the equipment
Procurement, use, modification and supply records relevant to production of products or equipment 11 years
Homicide / Serious Untoward incident 30 years
CCTV footage 30 days after date of recording
Record of destruction of each item mentioned above Never to be destroyed
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
You have a number of rights in relation to your information that we process. To exercise these rights, please contact email email@example.com.
While some of these rights apply generally, certain rights apply only in specific circumstances. We describe these rights below.
Access: You have the right to request access to your information that we control.
Data Portability: You have the right to request that some of your personal information that you initially provided to us is returned to you or another controller in a commonly used machine readable format.
Rectify, Restrict and Delete: You have the right to ask us to restrict the processing of your information or to rectify or delete your information. Please note that despite a deletion request, we may continue to process your information if we have a legal basis to do so.
Object: If we process your information based on our legitimate interests explained above, or in the public interest, you can object in certain circumstances. In such cases, where legally required to do so, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons. Where we use your data for direct marketing, you can always object using the unsubscribe link in such communications or by contacting us at firstname.lastname@example.org.
Withdraw Consent: Where you have previously provided your consent, you have the right to withdraw your consent to our processing of your information at any time. For example, you can withdraw your consent to email marketing by using the unsubscribe link in such communications or contacting us at email@example.com. In certain cases, we may continue to process your information after you have withdrawn consent if we have a legal basis to do so or if your withdrawal of consent was limited to certain processing activities.
Complain: You have the right to submit a complaint about our use of your information with your local supervisory authority, the Data Protection Commission (Ireland) or the Information Commissioner’s Office (UK).
You have the right to access and obtain the following information from our company:
• confirmation that our company is processing your personal data
• a copy of your personal data, and
• other supplementary information
In addition, you have the right to rectify or delete your personal data. In certain circumstances, Findlater Hotels Limited has the right to override your request to be forgotten / erasure in certain circumstances, in accordance with article 17(3) of the GDPR.
Below are the reasons cited in the GDPR that override the right to forgotten /erasure.
• The data is being used to exercise the right of freedom of expression and information.
• The data is being used to comply with a legal ruling or obligation.
• The data is being used to perform a task that is being carried out in the public interest or when exercising an organisation’s official authority.
• The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.
• The data is being used for the establishment of a legal defence or in the exercise of other legal claims.
• The data being processed is necessary for public health purposes and serves in the public interest.
• The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
In such cases you will be informed promptly and given full reasons for that decision.
In order to make a subject access request regarding access to your personal data or for the purpose of erasing or rectifying your personal data, fill in the Subject Access Request Form. Click here to download the form.
You have the right to lodge a complaint regarding our use of your data. Please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the Data Protection Commission (Ireland) or the Information Commissioner’s Office (UK). The details are listed below:
The Data Protection Commission (Ireland)
Commissioner: Helen Dixon
Postal Address: Canal House, Station Road, Portarlington, R32 AP23, Co. Laois, Ireland
Telephone: +353 57 8684800 or +353 76 1104800
Lo Call Number: 1890 252 231
Fax: +353 57 868 4757
The Information Commissioner’s Office (UK)
Commissioner: Elizabeth Denham CBE
Postal Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England
Telephone: +44 (0)303 123 1113
Fax: +44 (0)1625 524510
THIRD PARTY SERVICES
Our websites, domains and apps may contain links to other websites and services, which are managed and controlled by third parties. Please note that this notice does not apply in those cases and we are not responsible for the privacy practices of such third parties.
AMENDING THE POLICY
From time to time, we may amend this policy. This might happen, for example, where we make changes to the Services. If we make material changes to the policy, we will take steps to notify you, such as by posting a notice on our website. The notice was last updated at the date indicated further below.
If you want to exercise you rights (described above), or if you have any questions about this notice, please contact our Data Protection Lead on the below contact details.
Data Protection Lead
Findlater Hotels Limited
3-4 Gardiner Row
Telephone: +353 (0)1 874 6949
Last updated: 13th June 2023.
Findlater Hotels Limited Website – Cookies Notice page
What are Cookies?
When you visit any website it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device. The information does not usually directly identify you but it can give you a more personalised web experience.
A cookie is a small piece of data in the form of a text file that may be stored on your computer or mobile device having visited a website. It allows a website to “remember” your actions or preferences over a length of time and helps us improve your experience each time you visit. Examples of these include Google Chrome, Firefox or Internet Explorer. They are stored on your device’s hard drive and only identify your device, and not you personally.
There are 2 distinct types of cookies – session cookies and persistent cookies.
• Session Cookies:
These temporary cookies are not stored on your computer or mobile device.
• Persistent cookies:
Persistent or Duration cookies are placed on your computer or mobile device for a pre-determined duration once you visit a website.
For a further explanation about cookies visit http://www.allaboutcookies.org/.
There are two main purposes for cookie use.
• Functionality – log in as a particular user, remember preference, use of shopping carts, and share links via social media.
• Usage – to collect usage data and provide personalised suggestions and information.
• To help speed up the booking process so that you do not need to re-type the same information repeatedly.
• To collect information relating to our customer use and patterns.
• To help us deliver advertising effectively and avoid repeating adverts to you. We work with carefully selected third-parties who we allow to employ cookies on our site, on our behalf. These cookies allow us to provide advertising on other websites that are more relevant to a user’s interests. The information that we collect and share is anonymous and not personally identifiable. It does not contain a user’s name, address, telephone number or email address.
• If you receive our emails, we tailor the information we send you based on the data our cookies have collected from your recent visits to our website. You can opt out of this in any marketing email we send.
Types of cookies used by Findlater Hotels Limited
Name Type Duration Description
PHPSESSID PHP Session ID 20 minutes Used to distinguish users on the system
Triptease-identify-data Booking engine 7 hours Used by our booking engine provider to assist with bookings
tt-domain-user-id Booking engine 5 years Used by our booking engine provider to assist with bookings
Cookie-preferences Cookie preferences 6 months Stores the cookie preferences for the website
Name Type Duration Description
_ga Google Analytics tracking cookie 2 years Used to distinguish users
_gid Google Analytics tracking cookie 24 hours Used to distinguish users
_gat Google Analytics tracking cookie 1 minute Used to throttle request rate
Social Media Cookies
Name Type Duration Description
fpestid Sharethis Cookie ID 1 year Used to facilitate sharing of content on social platforms
Your consent to Cookies
Last Update: 2nd June 2023
We measure visitors to our website using Google Analytics. This records what pages you view within our site, how you arrived at our site and some basic information about your computer, such as which browser you are using and the size of your screen.
You can learn more about Google Analytics or opt out if you wish.
Google Advertising Features
In addition to the anonymous analytics information collected above, we also use some of Google Analytics’ advertising features. In particular we use their remarketing tools and their demographics and interest reporting.
Remarketing with Google Analytics allows us to target our web adverts at you elsewhere around the web. We do this by setting a cookie when you visit our website identifying you as a visitor. When you later visit a page elsewhere on the web that includes Google advertisements, Google can see that you are a visitor to our website and is more likely to show our advertisements to you.
Google Analytics Demographics and Interest Reporting makes age, gender, and interest data collected by Google available to us so that we can better understand who our users are.
Booking Online And Buying Gift Vouchers
When you book a stay with us or order a gift voucher via our website we will record specific personal information about you, such as your name and email address. We also log account and transaction history or accounting purposes, and to monitor our business activities.
We use the SynXis Central Reservation System by Sabre Hospitality to take bookings via our website. Sabre is a global organization headquartered in the United States and with information systems in several countries around the world. When you book using this system your personal information will be shared with Sabre for the purposes of making your booking and may be transferred outside of the EU. You can read about Sabre’s approach to your privacy on their website.
Our online gift voucher shop (athollpalacevouchers.co.uk) is provided and managed by Web Smart Media, a Pitlochry based web design and marketing agency.
Social Media Embeds
We include certain social media widgets on our website, like YouTube videos and Facebook buttons. To do so we embed code that they provide and we do not control ourselves. To function, their widgets generally know if you’re logged in; for example Facebook uses this to say “x of your friends like this”.
We do not have any access to that information, nor can we control how those networks use it.
We like to keep our guests in the loop on events and offers around the Atholl Palace Hotel, which we do so using occasional emailed newsletters. To do so we maintain email marketing lists, which are stored and managed by Web Smart Media.
You may opt out of receiving these emails at any time, either by clicking the unsubscribe link in any of the emails or by contacting us directly.
A cookie is simply a technology for remembering something about you, in the form of small pieces of data that we store in your web browser. Every time you visit our website our cookies are sent to us, letting us recognise you as the same person that had visited previously.
Things You Can Do
You have the right to control how we use your personal information. In particular, you may at any time:
- Get a copy of any personal data we hold about you.
- Have any incorrect, inaccurate or incomplete date corrected.
- Ask that personal data be erased if it is no longer needed.
- Ask that your data is not used for marketing purposes.
If you need to do so then please get in touch with us via the details below.
If you have any questions regarding this privacy notice please contact us by email at firstname.lastname@example.org or by post to Atholl Palace Hotel, Pitlochry, PH16 5LX, Scotland.