GDPR Policy v3 8th September 2020

 

Purpose

To ensure compliance with General Data Protection Regulations, taking effect as from 25th May 2018. To establish the following:

  • Who is the Data Controller?

  • What data do we receive?

  • What data is stored?

  • Where data stored?

  • Who has access?

  • For what purpose is data stored?

  • For how long is data stored?

  • How is consent to use data obtained?

  • How is request for information handled?

  • How is data deleted?

  • What control measures are in place?

  • What is procedure to report potential breach?

The document is deemed correct at the date of production, and will be reviewed when changes in legislation, procedures, and/or suppliers may so require. For the purpose of accuracy, the document will only be considered implemented when clearly marked as such.

 

Who is the Data Controller Officer (DCO)?

The post of Group Operations Director, reporting to Chief Operating Officer, is responsible for the day to day management of Data Protection, ensuring compliance to this document. The CEO is ultimately responsible to ensure that the Company is compliant with legislation as appropriate.

The DCO is: Christian Kaberg, christian@sphg.co.uk

The Ultimate Responsible is: Antonio Megaro, antonio@sphg.co.uk

 

What data do we receive?

Guests

  1. Name

  2. Address

  3. Email

  4. Telephone number

  5. Passport details (if non UK resident)

  6. Credit Card details (tokenized details ONLY)

Team Members

  1. Name

  2. Address

  3. Email

  4. Telephone number

  5. Passport/ID card details

  6. Bank Details

  7. Next of Kin Name

  8. Next of Kin Telephone number

Kx Club

  1. Name

  2. Address

  3. Email

 

What data is stored?

Guests

  1. Name

  2. Address

  3. Email

  4. Telephone number

  5. Passport details (non UK residents only)

Team Members

  1. Name

  2. Address

  3. Email

  4. Telephone number

  5. Passport/ID card details

  6. Bank Details

  7. Next of Kin Name

  8. Next of Kin Telephone number

Kx Club

  1. Name

  2. Address

  3. Email

 

Where is data stored?

Guests

  • Property Management System

  • Payment Express

  • Revinate Marketing Tool

  • Open Table

  • Design My Night

Team Members

  • Sage Payroll

  • Corporate Server located In Derbyshire House Server Room

Kx Club

  • DropBox – corporate account

  • Revinate Marketing Tool

 

Who has access?

Guests

  • Employees of Guestline, Book Assist and Online Travel Agents*

  • Current team members of St Pancras Hotels Group Ltd, restricted to;

    • Front Office Team

    • Housekeeping Manager/Assistant Manager/Supervisor

    • Restaurant Manager

    • Events Coordinator/s

    • Group Marketing Executive

    • Group Revenue Manager

    • Group Accounts Manager

    • Group Operations Director (DCO)

    • Chief Executive Officer

    • Bar & Restaurant Staff (name and email ONLY)

  • Employees of Revinate (name and email ONLY)

  • Employees of Dodgems & Floss (name and email ONLY)

  • Employees of Payment Express (name and credit card ONLY)

  • Employees of Elavon (name and credit card ONLY)

  • Employees of Open Table (name and email ONLY) *

  • Employees of Design My Night (name and email ONLY) *

NOTE – No other organisations or people have access to Credit Card details than Elavon and Payment Express. This includes team members of SPHG.

* Details are provided to SPHG Ltd via the supplier, whom is collecting the data and store the data outside of our control.

Team Members

Current team members of St Pancras Hotels Group Ltd, restricted to;

Kx Club

  • Revinate

  • Group Operations Director (DCO)

  • Group Sales Manager

  • Group Marketing Executive

  • Dodgems & Floss

 

For what purpose is data stored?

Guests

  • To ensure reservations of facilities can be made

  • Pre-arrival confirmation of reservations

  • Compliance with legislation

  • Marketing purpose to drive guest loyalty

Team Members

  • To ensure compliance with legislation

  • To ensure payments can be made to employee

Kx Club

  • Marketing purpose to drive guest loyalty

 

For how long is data stored?

Guests

  • Indefinite, until such date guest requests to remove their details, unless in contradiction with legislation.

Team Members

  • Throughout employment with SPHG Ltd and associated companies, and until such date so required by legislation.

Kx Club

  • Indefinite, until such date guest requests to remove their details, unless in contradiction with legislation.

 

How is consent to use data obtained?

Guests – Hotel/Restaurant/Events

  • Via reservation systems such as Guestline, Book Assist, and/or Online Travel Agents. Details are entered by the guest themselves.

  • When arriving at property, without reservation. Details provided by guests and entered by SPHG Ltd team members into approved reservation system ONLY.

Team Members

  • Through application process for employment with SPHG Ltd and associated companies.

Kx Club

  • By application to membership via website hosted by SPHG Ltd.

  • Through manual application on our premises, using approved forms which include name, email and company ONLY.

 

How is request for information handled?

  • All requests for information are addressed to the DCO.

  • Only requests provided in writing will be considered.

  • All requests will be responded to within relevant timeframe, as stipulated by legislation in force at the time of request.

  • In the unlikely event that a DCO is not available to respond within the timeframe as stipulated by current legislation, the Chief Executive Officer will appoint a suitable interim DCO, whom will act within directive as stipulated in this document.

  • Request for data will only be accepted by the person whom the data will relate to, unless specifically instructed by a responsible authority, supported by legally binding instructions in writing.

 

How is data deleted?

Data is deleted by the DCO, who will have full access to all Data Bases stored at premises controlled by St Pancras Hotels Group Ltd. All requests for data deletion will happen within a reasonable timeframe, and it is endeavoured that this time frame will not exceed 30 days from request. However, should the request to have data deleted contradict legislation of England and Wales, or instructions by responsible authorities, data will remain on files until instructed by aforementioned.

 

What control measures are in place?

All data access is controlled by the following tangible measures;

  • Data access is restricted to positions, as defined in this document.

  • On-site servers are kept in access controlled areas.

  • Remote access to servers is restricted to appointed IT consultants only.

  • All on-site storage of data is kept on the servers, and not on individual work stations.

  • Ability to copy data base files is restricted to DCO only.

  • User Passwords are programmed to change every 90 days.

  • All third party business partners who keep data of guests and/or associates, are requested to provide GDPR Policies and confirmation of GDPR Compliance prior to engagement. This data is reviewed annually, or when legislative changes so require.

 

What is procedure to report potential breach?

If a suspected breach takes place, all individuals whom have been identified to may have been affected by a breach, will be contacted within 24 hours of SPHG Ltd, DCO and/or Third Party Business Partner has been made aware that a potential breach has/may have taken place.

This communication will be done via email as far as reasonably possible. SPHG Ltd reserves the right to issue a formal statement using other channels, should the Company deem that being a better or swifter option.

 

Business Partners

Details listed below are correct as when this document was created. Any changes will be recorded on this document, but will not stipulate the requirement of a revision to be issued.

 

Review of this document, and amendments.

This document took effect 22nd May 2018, and will be reviewed when legislation so require. Responsible person to undertake reviews is the DCO, or suitably appointed person and/or organisation. The ownership of this document is restricted to St Pancras Hotels Group Ltd, and any associated organisation owned or operated by St Pancras Hotels Group Ltd.

Version 1 Christian Kaberg, Group Operations Director

Data Controller Officer (DCO) 5th May 2018.

Version 2 Christian Kaberg, Group Operations Director

Data Controller Officer (DCO) 13TH July 2019.

Open-times:

Monday - Friday
11am - 10pm

27 Euston Road,

London, NW1 2SD

Opposite Kings Cross Station

  • flogo_RGB_HEX-BRC-Site-250
  • instagram_logo_color_icon512
  • TripAdvisor
  • unnamed
  • OTLogo_rationalizationhor-r1c-01