Reed & Mackay Policy Notice
Reed & Mackay respects the right to privacy and is committed to protecting the information we process that identifies you (“Personal Data”). This privacy notice sets out the purposes for which we process Personal Data, how we look after your Personal Data processed through our website or use of our technology or services, and the rights you have as with regards to your Personal Data.
1. IMPORTANT INFORMATION AND WHO WE ARE
Reed & Mackay (“R&M” and/or “we”) is a Travel Management Company, providing corporate travel and event services (“Services”) to organisations. Where we have been engaged by your organisation, R&M’s client (“Client”), to provide such Services, R&M will process Personal Data provided by and on behalf of our Clients to facilitate the provision of these Services. This relationship is subject to a written contract between R&M and our Client which forms the basis for the processing of Personal Data carried out by us. Under these circumstances, the Client is the Controller of data, and R&M operates as the Processor on their behalf. We process data under our Clients instructions to provide the Services they require.
The Services are made available pursuant to an arrangement between our Client and R&M whereby we act as agent. This means that we are required to pass Personal Data on to Travel Service Providers (as defined below). The relevant Travel Service Provider operates as a Controller in their own right and is directly responsible for the security of the Personal Data it receives, and for compliance with applicable law; R&M is not responsible for the acts or omissions of such Travel Service Providers.
There are select circumstances where R&M operate as a Controller. These are specific to R&M’s capacity as an employer, and sometimes for the purposes of Client communications, marketing and Service improvement (see further below).
2. THE DATA WE PROCESS
We process Personal Data on behalf of our Clients and will need to send Personal Data to Travel Service Providers in order to fulfil travel requirements. Please see below a list of all the data items we may be required to collect depending on your travel needs:
- Title, first name, surname, billing address, delivery address, email address and telephone numbers.
- Bank account and payment details.
- Detailers of travel and event bookings, products and Services purchased.
- Destinations, locations and itineraries of travel or event.
- Internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access this website.
- Cookies.
- Information about how the website, products and Services are used.
- Identity – title, first name, middle name, surname, gender date and place of birth, country of residence, nationality, marital status.
- Passport – passport country, issue country, passport number, forename, middle names, surname, date of issue, date of expiry, biometric (Y/N).
- Visa (inc. ESTA, Redress, Schengen, Work Permit, Global Entry) – visa country, issue country, type of visa, document number, issue date and date of expiry.
- TSA – TSA number, start date, expiry date.
- Driving Licences – country, licence number, forename, middle name, surname, start date, expiry date, provisional (Y/N), international (Y/N).
- ID Cards – country, ID card number, forename, middle name, surname, start date, expiry date.
- Travel Preferences (inc. air, car, rail, Eurostar, hotel, accessibility requirements for trip) – seat type, seat allocation, meal preferences, home airport, online check-in preference, transmission, fuel/aircon, satnav (Y/N), coach number, room type, smoking/non-smoking.
- Vaccine information as required for bookings.
- Memberships/loyalty cards – Service type, supplier, membership number, date of expiry, status, level.
- Payment card details.
- Communication preferences from us and our third parties, feedback and survey responses.
- Calls to and from R&M may be recorded from time-to-time
We may also collect, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from Personal Data but is permanently anonymised and cannot directly or indirectly reveal your identity. For example, we may aggregate travel data for Management Information reports.
HOW WE COLLECT PERSONAL DATA
We use different methods to collect data including through:
You or your organisation may share the Personal Data above with us by:
- Providing a HR feed
- Corresponding with us by email, phone, post or otherwise
- Through your use of our online booking tool
We process this data on behalf of your organisation, as their Processor.
Through interactions with our websites, we automatically collect Technical and Usage Data on occasion about equipment, browsing actions and patterns. We collect this Personal Data by using cookies, and other similar technologies. Please see our cookie policy for further details.
We receive data identifying client organisations from various third parties, such as analytics from Google and Pardot, and public sources.
3. HOW WE USE PERSONAL DATA
R&M will only use Personal Data as required to provide travel management and travel related services to our Clients. This processing of Personal Data is governed by a written contract between ourselves and our Clients. Additionally, we will only process Personal Data in the following circumstances, for particular purposes:
- Where it is necessary for our legitimate interests and personal interests and fundamental rights do not override those interests. This is for the improvement of our Service and management of the relationship we have with our Clients.
- Where we need to comply with a legal or regulatory obligation.
Travellers or event delegates may also need to provide us with Personal Data directly in connection with that engagement. We rely on the Controller to ensure data provided to us is accurate and current.
PURPOSES FOR WHICH WE WILL USE PERSONAL DATA
In our capacity as Processor for our Clients in the provision of Travel & Event Management services
PURPOSE/ACTIVITY
To register new travellers or event delegates and build the necessary profiles.
TYPE OF DATA
a) contact
b) Traveller Profile
LAWFUL BASIS FOR PROCESSING
This is required to provide travel, events and related services requested by our Client. This is governed by instruction through a written contract with R&M, as a Processor.
To process and deliver travel and events management:
a) Manage bookings, refunds, payments, fees and charges.
b) Collect and recover money owed to us.
a) Traveller Profile
b) Contact
c) Financial and Transactional
This is required to provide travel, events and related services requested by our Client. This is governed by instruction through a written contract with R&M, as a Processor.
To manage our Client relationship which will include:
a) Notifications about changes e.g., to our terms, products and Services, privacy policy etc.
b) Asking for reviews or survey participation.
a) Financial and Transactional
b) Contact
c) Traveller Profile
d) Communications
This is required to provide travel, events and related services requested by our Client. This is governed by instruction through a written contract with R&M, as a Processor.
In our capacity as Controller
To administer, protect and
improve our business and this
website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
a) Contact
b) Technical and Usage
Necessary for our legitimate interests (to define types of customers for our products and Services, to keep our website updated and relevant, and develop our business).
To deliver relevant website content and communications and measure or understand the effectiveness of the communications we serve.
a) Contact
b) Technical and Usage
c) Communications
Necessary for our legitimate interests (to study how customers use our products/Services, to develop them, to grow and improve our business and to inform our communications strategy).
MARKETING – R&M do share marketing communications with prospective clients and leads, only where they have opted-in to this form of communication or where we have a legitimate interest in the processing of this data.
OPTING OUT – R&M do not rely on consent as a legal basis for processing Personal Data other than in prospect or lead marketing. To ask us or our third parties who support us in this marketing to stop sending marketing messages at any time, please get in touch with us at marketing@reedmackay.com or write to us at the following address:
Marketing Department
Nexus Place
25 Farringdon Street
London EC4A 4AF
Please note, this opt-out right will not apply to Personal Data provided to us as a result of a product/Service purchase, interest, warranty registration, product/Service experience or other transactions.
CALL RECORDINGS – R&M may record your calls with us for the purpose of training and monitoring. Callers will be made aware of this at the start of the call, and any call records will only be retained for 3 months, after which they will be permanently deleted.
COOKIES – Browser settings can refuse all or some (non-essential) browser cookies, or provide alerts when websites set or access cookies. If cookies are disabled or refused, please note that some parts of our website or technology may become inaccessible or not fully functional. For more information about the cookies we use, please see our cookies policy.
4. DISCLOSURES OF PERSONAL DATA
We share Personal Data with the parties set out below only to the extent necessary, to support the purposes set out in the table in paragraph 3 above.
Sub-Processors are the third parties we contract with in order to support us in the provision of our Services to your organisation. This includes the third parties we use to power our tools such as our online travel and meeting booking tools. All third parties are engaged in line with GDPR Article 28 provisions to ensure your Personal Data is protected to the same level by our Sub-Processors as it is by ourselves, and that they only use Personal Data for specific, instructed purposes.
Please see the next section, International Transfers, to understand how we remain compliant when transferring your Personal Data internationally. For the avoidance of doubt this does not include Travel Service Providers.
To see a list of our sub-processors, please submit a request to privcy@reedmackay.com.
Travel Service Providers are the third parties who provide the travel services directly to yourselves. R&M engages with them on your behalf as our Client’s authorised agent in order to facilitate the provision of Services. Service Providers are categorised as the following:
- Parties that provide travel services and with whom R&M makes bookings on our Client’s behalf, including airlines, hotels, rail and other ground transport that our Clients choose to travel with;
- Parties that facilitate or process bookings (whether electronically or otherwise) made by R&M on our Client’s behalf for travel services, including on-line booking tools or other external software and travel agents; or
- Parties that process applications to assist or enhance a person’s ability to receive the benefit of the Services, including passport and visa agencies, currency convertors, travel information services and other similar agencies.
Travel Service Providers are independent Controllers of Personal Data and have direct obligations to yourselves regarding the processing and security or your Personal Data, and in giving effect to your Individual Rights. R&M always acts in these circumstances as Processor as our Client’s behalf. We are not responsible for the acts or omissions of such service providers.
THIRD-PARTY LINKS
Our website or use of our technology of Services may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share Personal Data. We do not control these third parties and are not responsible for how they process Personal Data.
5. INTERNATIONAL TRANSFERS
As a Processor for our Clients, and in the provision of a global service, we share Personal Data among the entities within R&M’s operational control (please see these entities listed below under Group Entities), with our local TMC Partners and with third party sub-processors. This will involve transferring Personal Data outside the UK and the European Economic Area (EAA).
We ensure the same degree of protection is afforded to all Personal Data by ensuring at least one of the following statements is implemented:
- We will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the ICO or the European Commission.
- In the absence of an adequacy decision, we will implement the necessary transfer tools of Standard Contractual Clauses or the UK International Data Transfer Agreement (or Addendum) with additional supplementary measures as needed with our sub-processors who store and process data in the US and other third countries using appropriate encryption tools, in compliance with the recent Schrems II decision.
6. DATA SECURITY
R&M operates as part of a global business and our Clients’ Personal Data will be processed by our international entities as set out in paragraphs 4 and 5 above. However, we store all Personal Data in the UK.
We have put in place appropriate security measures to prevent against the accidental, unauthorised or unlawful access, loss, alteration, or disclosure of Personal Data. In addition, we only permit access to your Personal Data to those employees, agents, contractors and other third parties on a need-to-know basis. They will only process Personal Data on our instruction, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify our Clients and any applicable regulator of a breach where we are legally required to do so.
7. DATA RETENTION
HOW LONG WILL PERSONAL DATA BE PROCESSED? – We will only retain Personal Data for as long as is necessary to fulfil the purpose for which it was processed, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate measures for retention for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Personal Data, and the purposes for which we process Personal Data.
Specifically, our Client Personal Data held in profiles and travel bookings/history is retained for the duration of the contract with the Client organisation unless otherwise instructed by that organisation.
Requests to remove profiles may come as part of the regular or one-off automatic profile maintenance feeds provided by some of our Clients, may be requested through the portal, or via travel consultants who have the ability to delete profiles.
Management Information (MI) data, which would include travel details (including traveller names but not passport etc.), is retained for a period of 5 years (rolling) irrespective of the currency of our Client’s contract (i.e. this data will exist for 5 years beyond the last travel date).
Similarly, Transaction History, which would include travel details (including traveller names but not passport etc.), is retained for a minimum of 7 years to comply with legal obligations.
Call recordings are retained for 3 months. Personal Data that is no longer required is deleted permanently from information systems and any hard copies are securely destroyed.
By law we are required to keep basic information about our customers (including Contact, Financial and Transactional Data) for 7 years after they cease being customers for tax purposes.
In some circumstances we may anonymise Personal Data (so that it can no longer be associated with an individual) for research or statistical purposes in which case we may use this information indefinitely without further notice.
8. LEGAL RIGHTS
You can submit an Individual Rights request for any of the following to privacy@reedmackay.com
As a Processor of Personal Data on behalf of our Clients, R&M can only give effect to Individual Rights requests on the instruction of our Clients. We will need to verify your request with your organisation, and obtain their permission to give effect to these rights as a Processor:
- Request access to Personal Data (commonly known as a “data subject access request”). This enables individuals to receive a copy of the Personal Data held about them and to check that the data is being lawfully processed.
- Request correction of the Personal Data that we hold about an individual. This enables individuals to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data provided to us.
- Request erasure of Personal Data. This enables individuals to ask us to delete or remove Personal Data where there is no valid reason for us continuing to process it. Note, however, that we may not always be able to comply with the request of erasure for specific legal reasons which will be notified to the requestor, if applicable, at the time of the request.
- Request the transfer of Personal Data. This will typically be requested at the corporate level should your organisation be changing your Service. Upon our Client’s request, we will provide the data in a structured, commonly used, machine-readable format. Note this right only applies to information held on electronic media which was initially provided to us in order to perform a contract with your organisation.
Please note, Clients and individuals are able to update or delete certain Personal Data items included in their profile through an interface from our Client’s HR system, through direct access to their profile, or via a travel consultant/agent. Where this is not possible or applicable, or an individual wishes to exercise any of the other rights set out above, please contact us at privacy@reedmackay.com. In capacities where we process your Personal Data as Processor (as described in paragraph 3 above), on behalf of our Client, the Controller, we will notify the Controller of the request without undue delay and support them in responding to it.
In our capacity as a Controller of your Personal Data (as an employer, and for specific Client communications and Service improvements), we will be able to address your Individual Rights requests directly. Additional to the rights listed above you may also request the following:
- Object to processing Personal Data where we are relying on a legitimate interest (or that of a third party) and you feel the processing impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process the information which override these rights and freedoms.
- Request restriction of processing Personal Data. This enables you to ask us to suspend the processing of Personal Data in the following scenarios: (a) to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of the data but we need to verify whether we have overriding legitimate grounds to use it.
- Withdraw consent at any time where we are relying on consent to process Personal Data. However, this will not affect the lawfulness of any processing carried out before withdrawal of consent. If consent is withdrawn, we may not be able to provide certain services. We will advise if this is the case at the time consent is withdrawn.
NO FEE USUALLY REQUIRED – Individuals will not have to pay a fee to access their Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request is repetitive or excessive. Alternatively, we may refuse to comply with the request in these circumstance.
WHAT WE MAY NEED – We may need to request specific information from the individual, or the employer or travel sponsor to help us confirm the individual’s identity and ensure their right to access the Personal Data (or to exercise any of the other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also ask for further information in relation to the request to speed up our response.
TIME LIMIT TO RESPOND – We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if the request is particularly complex or a number of requests have been made. In this case, we will notify requestors of this and keep them updated.
9. FURTHER INFORMATION
Please direct any questions about how we process personal information to our Data Protection Officer, who is contactable at privacy@reedmackay.com . We hope that we will be able to address any questions or concerns. However, individuals also have the right to make a complain at any time to their local Supervisory Authority. Please see below the contact information for the Supervisory Authority in your region:
Information Commissioner’s Office (ICO)
+44 (0) 303 123 1113
Commission Nationale de l’Informatique et des Libertés (CNIL)
+33 (0) 1 53 73 22 22
Bundesbeauftragter für Datenschutz und Informationsfreiheit (BfDI)
+49 (0) 228 997799-0
Datatilsynet
+47 22 39 69 00
Agencia Española de Protección de Datos (AEPD)
+34 (0) 901 100 099
Integritetsskyddsmyndigheten (IMY)
+46 (0) 8 657 61 00
Office of the Australian Information Commissioner (OAIC)
1300 363 992
California Privacy Protection Agency (CPPA)
+1 209 948 1911
Office of the Privacy Commissioner of Canada
(819) 994 5444
Privacy Commissioner’s Office (PCO)
+64 9 302 8680
10. GROUP ENTITIES
This privacy notice applies to all Reed & Mackay Group Entities as listed below:
25 Farringdon Street, London, EC4A 4AF, United Kingdom
Office GB08-10, Dubai Silicon Oasis HQ Building, Dubai Silicon Oasis, Dubai, PO Box 341411, UAE
Level 01, Incubator Building, Masdar City, Abu Dhabi, UAE
1900 Market Street, 8th Floor, Philadelphia, PA 19103
Concierge House, 332 Kent Street, Sydney, NSW 2000, Australia
600 North Bridge Road #10-01 Parkview Square, Singapore 188778
63 Bis Avenue Ledru Rollin, 75012 Paris, France
Robert-Bosch Str 32, D-63303, Dreieich bei Frankfurt, Germany
34 Britain Street, Suite 200, Toronto, Ontario M5A 1RB, Canada
414, 4th Floor, D-21 Corporate Park, Dwarka, New Delhi, 110075, India
BDO, L4, 4 Graham Street, Auckland Central, Auckland, 1010, New Zealand
Carrer de Calvet, 55, Barcelona 08021, Spain
Kruthusgatan 17, 411 04, Göteborg, Sweden
Postboks 39, 1720 Greáker, Norway