Reed & Mackay Privacy Notice
Reed & Mackay respects the right to privacy and is committed to protecting the information we process that identifies you (“Personal Data”). This privacy notice sets out the purposes for which we process Personal Data, how we look after your Personal Data processed through our website or use of our technology or services, and the rights you have as with regards to your Personal Data.
1. IMPORTANT INFORMATION AND WHO WE ARE
Reed & Mackay (“R&M” and/or “we”) is a Travel Management Company, providing corporate travel and event services (“Services”) to organisations. Where we have been engaged by your organisation,R&M’s client (“Client”), to provide such Services, R&M will process Personal Data provided by and on behalf of our Clients to facilitate the provision of these Services. This relationship is subject to a written contract between R&M and our Client which forms the basis for the processing of Personal Data carried out by us. Under these circumstances, the Client is the Controller of data, and R&M operates as the Processor on their behalf. We process data under our Clients instructions to provide the Services they require.
The Services are made available pursuant to an arrangement between our Client and R&M whereby we act as agent. This means that we are required to pass Personal Data on to Travel Service Providers (as defined below). The relevant Travel Service Provider operates as a Controller in their own right and is directly responsible for the security of the Personal Data it receives, and for compliance with applicable law; R&M is not responsible for the acts or omissions of such Travel Service Providers. There are select circumstances where R&M operate as a Controller. These are specific to R&M’s as an employer, and sometimes for the purposes of Client communications, marketing and Service improvement (see further below).
2. THE DATA WE PROCESS
We process Personal Data on behalf of our Clients and will need to send Personal Data to Travel Service Providers in order to fulfil travel requirements. Please see below a list of all the data items we may be required to collect depending on your travel needs:
Catergory of Personal Data
Contact Data
Financial and Transactional Data
Financial and Transactional Data
Traveller Profile Data
Communications Data
Call Recordings
Data items included
- Title, first name, surname, billing address, delivery address, email addressand telephone numbers
- Bank account and payment details.
- Details of travel and event bookings, products and Services purchased.
- Destinations, locations and itineraries of travel or event.
- Internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access
this website. - Cookies.
- Information about how the website, products and Services are used.
- Identity – title, first name, middle name, surname, gender, date and place of birth, country of residence, nationality, marital status.
- Passport – passport country, issue country, passport number, forename,
middle names, surname, date of issue, date of expiry, biometric (Y/N). - Visa (inc. ESTA, Redress, Schengen, Work Permit, Global Entry) – visa
country, issue country, type of visa, document number, issue date and date of expiry. - TSA – TSA number, start date, expiry date.
• Driving Licences – country, licence number, forename, middle name,
surname, start date, expiry date, provisional (Y/N), international (Y/N). - ID Cards – country, ID card number, forename, middle name, surname,
start date, expiry date. - Travel Preferences (inc. air, car, rail, Eurostar, hotel, accessibility
requirements for trip) – seat type, seat allocation, meal preferences, home
airport, online check-in preference, transmission, fuel/aircon, satnav
(Y/N), coach number, room type, smoking/non-smoking. - Vaccine information as required for bookings.
- Memberships/loyalty cards – Service type, supplier, membership number, date of expiry, status, level.
- Payment card details
- Communication preferences from us and our third parties, feedback and survey responses.
- Calls to and from R&M may be recorded from time-to-time
We may also collect, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from Personal Data but is permanently anonymised and cannot directly or indirectly reveal your identity. For example, we may aggregate travel data for Management Information reports.
HOW WE COLLECT PERSONAL DATA
We use different methods to collect data including through:
Method of collection
Direct Interactions
Automated Technologies or Interactions
Third Parties or Publicaly available sources
Description
You or your organisation may share the Personal Data above with us by:
– Providing a HR feed
– Corresponding with us by email, phone, post or otherwise
– Through your use of our online booking tool
We process this data on behalf of your organisation, as their Processor.
Through interactions with our websites, we automatically collect Technical and Usage Data on occasion about equipment, browsing actions and patterns. We collect this Personal Data by using cookies, and other similar technologies. Please see our cookie policy for further details.
We receive data identifying client organisations from various third parties, such as analytics from Google and Pardot, and public sources.
3. HOW WE USE PERSONAL DATA
R&M will only use Personal Data as required to provide travel management and travel related services
to our Clients. This processing of Personal Data is governed by a written contract between ourselves
and our Clients. Additionally, we will only process Personal Data in the following circumstances, for
particular purposes:
• Where it is necessary for our legitimate interests and personal interests and fundamental rights
do not override those interests. This is for the improvement of our Service and management of
the relationship we have with our Clients.
• Where we need to comply with a legal or regulatory obligation.
Travellers or event delegates may also need to provide us with Personal Data directly in connectionwith that engagement. We rely on the Controller to ensure data provided to us is accurate and
current.
PURPOSES FOR WHICH WE WILL USE PERSONAL DATA
In Our capcity as processor for our clients in the provision of travel & event management services:
Purpose/ Activity
To register new travellers or
event delegates and build the
necessary profiles.
To process and deliver travel and
events requirements:
a) Manage bookings, refunds,
payments, fees and charges.
b) Collect and recover money
owed to us.
To manage our Client
relationship which will include:
a) Notifications about changes
e.g. to our terms, products
and Services, privacy policy
etc.
b) Asking for reviews or survey
participation
Type of Data
a) Contact
b) Traveller Profile
a) Traveller Profile
b) Contact
c) Financial and Transactional
a) Financial and Transactional
b) Contact
c) Traveller Profile
d) Communications
Lawful Basis for Processing
This is required to provide
travel, events and related
services requested by our Client.
This is governed by instruction
through a written contract with
R&M, as a Processor.
This is required to provide
travel, events and related
services requested by our Client.
This is governed by instruction
through a written contract with
R&M, as a Processor.
This is required to provide
travel, events and related
services requested by our Client.
This is governed by instruction
through a written contract with
R&M, as a Processor.
In Our Capacity as Controller:
Purpose/ Activity
To administer, protect and
improve our business and this
website (including
troubleshooting, data analysis,
testing, system maintenance,
support, reporting and hosting of
data).
To deliver relevant website
content and communications and
measure or understand the
effectiveness of the
communications we serve.
Type of Data
a) Contact
b) Technical and Usage
a) Contact
b) Technical and Usage
c) Communications
Lawful Basis for Processing
Necessary for our legitimate
interests (to define types of
customers for our products and
Services, to keep our website
updated and relevant, and
develop our business).
Necessary for our legitimate
interests (to study how
customers use our
products/Services, to develop
them, to grow and improve our
business and to inform our
communications strategy).
MARKETING – R&M do share marketing communications with prospective clients and leads, only where they have opted-in to this form of communication or where we have a legitimate interest in the processing of this data.
OPTING OUT – R&M do not rely on consent as a legal basis for processing Personal Data other than in prospect or lead marketing. To ask us or our third parties who support us in this marketing to stop sending marketing messages at any time, please get in touch with us at marketing@reedmackay.com
or write to us at the following address:
Marketing Department
Nexus Place
25 Farringdon Street
London EC4A 4AF
Please note, this opt-out right will not apply to Personal Data provided to us as a result of a
product/Service purchase, interest, warranty registration, product/Service experience or other transactions.
CALL RECORDINGS – R&M may record your calls with us for the purpose of training and monitoring.
Callers will be made aware of this at the start of the call, and any call records will only be retained for 3 months, after which they will be permanently deleted.
COOKIES – Browser settings can refuse all or some (non-essential) browser cookies, or provide alerts when websites set or access cookies. If cookies are disabled or refused, please note that some parts of our websites or technology may become inaccessible or not fully functional. For more information about the cookies we use, please see our cookies policy.
4. DISCLOSURES OF PERSONAL DATA
We share Personal Data with the parties set out below only to the extent necessary, to support the purposes set out in the table in paragraph 3 above.
Sub-Processors are the third parties we contract with in order to support us in the provision of our Services to your organisation. This includes the third parties we use to power our tools such as our online travel and meeting booking tools. All third parties are engaged in line with GDPR Article 28 provisions to ensure your Personal Data is protected to the same level by our Sub-Processors as it is by ourselves, and that they only use Personal Data for specific, instructed purposes.
Please see the next section, International Transfers, to understand how we remain compliant when transferring your Personal Data internationally. For the avoidance of doubt this does not include
Travel Service Providers.
To see a list of our sub-processors, please submit a request to privacy@reedmackay.com.
Travel Service Providers are the third parties who provide the travel services directly to yourselves.
R&M engages with them on your behalf as our Client’s authorised agent in order to facilitate the provision of Services. Service Providers are categorised as the following:
• Parties that provide travel services and with whom R&M makes bookings on our Client’s behalf, including airlines, hotels, rail and other ground transport that our Clients choose to travel with;
• Parties that facilitate or process bookings (whether electronically or otherwise) made by R&M on
our Client’s behalf for travel services, including on-line booking tools or other external software and travel agents; or
• Parties that process applications to assist or enhance a person’s ability to receive the benefit of
the Services, including passport and visa agencies, currency convertors, travel information services and other similar agencies.
Travel Service Providers are independent Controllers of Personal Data and have direct obligations to yourselves regarding the processing and security of your Personal Data, and in giving effect to your
Individual Rights. R&M always acts in these circumstances as Processor on our Client’s behalf. We are
not responsible for the acts or omissions of such service providers.
THIRD-PARTY LINKS
Our website or use of our technology or Services may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share Personal Data. We do not control these third parties and are not responsible for how they process Personal Data.
5. INTERNATIONAL TRANSFERS
As a Processor for our Clients, and in the provision of a global service, we share Personal Data among the entities within R&M’s operational control (please see these entities listed below under Group Entities), with our local TMC Partners and with third party sub-processors. This will involve transferring Personal Data outside the UK and the European Economic Area (EEA).
We ensure the same degree of protection is afforded to all Personal Data by ensuring at least one of the following safeguards is implemented:
• We will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the ICO or the European Commission.
•In the absence of an adequacy decision, we will implement the necessary transfer tools of Standard Contractual Clauses or the UK International Data Transfer Agreement (or
Addendum) with additional supplementary measures as needed with our sub-processors who store and process data in the US and other third countries using appropriate encryption tools, in compliance with the recent Schrems II decision.
6. DATA SECURITY
R&M operates as part of a global business and our Clients’ Personal Data will be processed by our international entities as set out in paragraphs 4 and 5 above. However, we store all Personal Data in the UK.
We have put in place appropriate security measures to prevent against the accidental, unauthorised
or unlawful access, loss, alteration, or disclosure of Personal Data. In addition, we only permit access to your Personal Data to those employees, agents, contractors and other third parties on a need-to-know basis. They will only process Personal Data on our instruction, and they are subject to a duty
of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify our
Clients and any applicable regulator of a breach where we are legally required to do so.
7. DATA RETENTION
HOW LONG WILL PERSONAL DATA BE PROCESSED? – We will only retain Personal Data for as long as is necessary to fulfil the purpose for which it was processed, including for the purposes of satisfying
any legal, accounting, or reporting requirements.
To determine the appropriate measures for retention for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Personal Data, and the purposes for which we process Personal Data.
Specifically, our Client Personal Data held in profiles and travel bookings/history is retained for the duration of the contract with the Client organisation unless otherwise instructed by that organisation.
Requests to remove profiles may come as part of the regular or one-off automatic profile maintenance feeds provided by some of our Clients, may be requested through the portal, or viatravel consultants who have the ability to delete profiles.
Management Information (MI) data, which would include travel details (including traveller names but
not passport etc.), is retained for a period of 5 years (rolling) irrespective of the currency of our Client’s contract (i.e. this data will exist for 5 years beyond the last travel date).
Similarly, Transaction History, which would include travel details (including traveller names but not passport etc.), is retained for a minimum of 7 years to comply with legal obligations.
Call recordings are retained for 3 months.
Personal Data that is no longer required is deleted permanently from information systems and any hard copies are securely destroyed.
By law we are required to keep basic information about our customers (including Contact, Financial and Transactional Data) for 7 years after they cease being customers for tax purposes.
In some circumstances we may anonymise Personal Data (so that it can no longer be associated with an individual) for research or statistical purposes in which case we may use this information indefinitely without further notice.
8. LEGAL RIGHTS
You can submit an Individual Rights request for any of the following to privacy@reedmackay.com
As a Processor of Personal Data on behalf of our Clients, R&M can only give effect to Individual Rights requests on the instruction of our Clients. We will need to verify your request with your organisation, and obtain their permission to give effect to these rights as a Processor:
• Request access to Personal Data (commonly known as a “data subject access request”).
This enables individuals to receive a copy of the Personal Data held about them and to
check that the data is being lawfully processed.
• Request correction of the Personal Data that we hold about an individual. This enables individuals to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data provided to us.
• Request erasure of Personal Data. This enables individuals to ask us to delete or remove
Personal Data where there is no valid reason for us continuing to process it. Note, however, that we may not always be able to comply with the request of erasure for specific legal reasons which will be notified to the requestor, if applicable, at the time of the request.
• Request the transfer of Personal Data. This will typically be requested at the corporate level should your organisation be changing your Service. Upon our Client’s request, we will provide the data in a structured, commonly used, machine-readable format. Note this right only applies to information held on electronic media which was initially provided to us in
order to perform a contract with your organisation.
Please note, Clients and individuals are able to update or delete certain Personal Data items included in their profile through an interface from our Client’s HR system, through direct access to their profile, or via a travel consultant/agent.
Where this is not possible or applicable, or an individual wishes to exercise any of the other rights set out above, please contact us at
privacy@reedmackay.com. In capacities where we process your Personal Data as Processor (as described in paragraph 3 above), on behalf of our Client, the Controller, we will notify the Controller of the request without undue delay and support them in responding to it.
In our capacity as a Controller of your Personal Data (as an employer, and for specific Client communications and Service improvements), we will be able to address your Individual Rights requests directly.
Additional to the rights listed above, you may also request the following:
• Object to processing Personal Data where we are relying on a legitimate interest (or that of a third party) and you feel the processing impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process the information which override these rights and freedoms.
• Request restriction of processing Personal Data. This enables you to ask us to suspend the processing of Personal Data in the following scenarios: (a) to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to
establish, exercise or defend legal claims; or (d) you have objected to our use of the data
but we need to verify whether we have overriding legitimate grounds to use it.
• Withdraw consent at any time where we are relying on consent to process Personal Data. However, this will not affect the lawfulness of any processing carried out before
withdrawal of consent. If consent is withdrawn, we may not be able to provide certain
services. We will advise if this is the case at the time consent is withdrawn.
NO FEE USUALLY REQUIRED – Individuals will not have to pay a fee to access their Personal Data (or
to exercise any of the other rights).
However, we may charge a reasonable fee if the request is
repetitive or excessive. Alternatively, we may refuse to comply with the request in these circumstances.
WHAT WE MAY NEED – We may need to request specific information from the individual, or the employer or travel sponsor to help us confirm the individual’s identity and ensure their right to access the Personal Data (or to exercise any of the other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also ask for further information in relation to the request to speed up our response.
TIME LIMIT TO RESPOND – We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if the request is particularly complex or a number of requests have been made. In this case, we will notify requestors of this and keep them updated.
8. FURTHER INFORMATION
Please direct any questions about how we process personal information to our Data Protection Officer, who is contactable at privacy@reedmackay.com. We hope that we will be able to address any questions or concerns.
However, individuals also have the right to make a complaint at any time
to their local Supervisory Authority. Please see below the contact information for the Supervisory Authority in your region:
Country/State
United Kingdom
France
Germany
Norway
Spain
Sweden
Australia
California
Canada
New Zealand
Supervisory Authority
Information Commissioner’s Office (ICO)
Commission Nationale de l’Informatique et des
Libertés (CNIL)
Bundesbeauftragter für Datenschutz und
Informationsfreiheit (BfDI
Datatilsynet
Agencia Española de Protección de Datos (AEPD)
Integritetsskyddsmyndigheten (IMY)
Office of the Australian Information
Commissioner (OAIC)
California Privacy Protection Agency (CPPA)
Office of the Privacy Commissioner of Canada
Privacy Commissioner’s Office (PCO)
Contact Helpline
+44 (0) 303 123 1113
+33 (0) 1 53 73 22 22
+49 (0) 228 997799-0
+47 22 39 69 00
+34 (0) 901 100 099
+46 (0) 8 657 61 00
1300 363 992
+1 209 948 1911
(819) 994 5444
+64 9 302 8680
9. GROUP ENTITIES
This privacy notice applies to all Reed & Mackay Group Entities as listed below:
Reed & Mackay Travel Limited: 25 Farringdon Street, London, EC4A 4AF, United Kingdom
Reed & Mackay Travel Management Services FZE: Office GB08-10, Dubai Silicon Oasis HQ Building, Dubai Silicon Oasis,
Dubai, PO Box 341411, UAE
Reed & Mackay Travel Services FZE: Level 01, Incubator Building, Masdar City, Abu Dhabi, UAE
Reed & Mackay Travel Inc.: 1900 Market Street, 8th Floor, Philadelphia, PA 19103
Reed & Mackay Travel Australia Pty Limited: Concierge House, 332 Kent Street, Sydney, NSW 2000, Australia
Reed & Mackay Travel Singapore Pte Limited : 600 North Bridge Road #10-01 Parkview Square, Singapore 188778
Reed & Mackay France: SAS 63 Bis Avenue Ledru Rollin, 75012 Paris, France
Reed & Mackay Deutschland GmbH: Robert-Bosch Str 32, D-63303, Dreieich bei Frankfurt, Germany
Reed & Mackay Canada Inc.: 34 Britain Street, Suite 200, Toronto, Ontario M5A 1R6, Canada
Reed & Mackay Travel India Private Limited: 414, 4th Floor, D-21 Corporate Park, Dwarka, New Delhi, 110075, India
Reed & Mackay Travel New Zealand Limited: BDO, L4, 4 Graham Street, Auckland Central, Auckland, 1010, New
Zealand
Reed & Mackay Espana S.A.U.: Carrer de Calvet, 55, Barcelona 08021, Spain
Reed & Mackay Sverige AB: Kruthusgatan 17, 411 04, Göteborg, Sweden
Reed & Mackay Norge AS: Postboks 39, 1720 Greáker, Norway