We believe that it is important to protect your Personal Data (as defined in the Data Protection Act 1998) and we are committed to give you a personalized service that meets your needs in a way that also protects your privacy. We know that you care how information about you is used and shared and we appreciate your trust in us to do that carefully and sensibly.
Where the context permits, reference to “you”, “your” and “yourself” will include you and everyone on whose behalf you have provided us with Personal Data subsequently added or substituted at a later date. "We", "us" and "our" all refer to CARUS Travel Ltd.
Who are we?
CARUS Travel Ltd. is a tour organising company which provides you with bespoke travel arrangements. Such bespoke holiday arrangements include e. g. accommodation, transfers, opera and sport tickets, Hospitality Packages, admission tickets, restaurant arrangements. Our registered office is at 3 Acorn Business Centre, Northarbour Road, Cosham, Portsmouth, PO6 3TH, UK, our registered number is 07704220 and our office is at 2 South Pines, 2a Brownsea Road, Poole, Dorset, BH13 7QP, UK.
CARUS Travel Ltd., trading as CARUS Travel, is the Data Controller for the website www.carus-travel.com (the “Website”) and our General Data Protection Owner can be contacted by email: email@example.com.
Lawful Basis for obtaining your Personal Data
We require your Personal Data in order to be able to
· provide you with the service you have requested from us. This also includes steps taken at your request before entering into a contract (e. g. contacting you via email or telephone to discuss your specific requests and sending you our booking proposal)
· comply with legal obligations (For example, we can pass on the details of people involved in fraud or other criminal activity affecting the Partnership to law enforcement. UK Government also requires that invoices have to include name and address of the costumer we are invoicing, see https://www.gov.uk/invoicing-and-taking-payment-from-customers/invoices-what-they-must-include and we also need Personal Data from you in order to provide you with the financial protection of your payments which we’re legally required to provide to you under European Package Travel Regulation)
· fullfill statutory provisions, in particular with regard to accounting, accounting purposes, internal record keeping and/or archival purposes.
· monitor and assess the quality of our services and to comply with the law regarding data sharing. In legal terms this is called ‘legitimate interests’.
Consent as lawful basis for collecting Personal Data
If we collect Personal Data based on consent from you it will be done by using „Consent Forms“. Such „Consent Forms“ will store information related to the consent given by you.
Contract as lawful basis for collecting Personal Data
We use your Personal Data to fulfill our obligations related to your booking and agreements with you, our suppliers and partners.
Legitimate Interest as lawful basis for collecting Personal
We may use Personal Data if it is considered to be of legitimate interest, and if your privacy interests do not override our interest. This legal basis is primarily related to our sales and marketing purposes.
1. Definition of Personal Data
2. Owner of your Personal Data
3. Collecting of your Personal Data
4. Type of collected Personal Data
5. Usage of your Personal Data
6. Protecting of your Personal Data
7. Duration of storage of Personal Data
8. Controlling the collection, use and distribution of your Personal Data
9. Correcting, updating and deleting of your Personal Data
10. Direct Marketing Material
11. Links to other sites
12. Intellectual Property
14. Third Party Services
15. Further information
17. Changes to this policy
1. DEFINITION OF PERSONAL DATA
"Personal Data" is information that would allow someone to identify or contact you. Such information includes for example, your full name, address, telephone number and e-mail address. A name is the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context. By itself the name Michael Schmid may not always be personal data because there are many individuals with that name. Personal Data does not include aggregated information that, by itself, does not permit the identification of individuals. Some of the Personal Data may be 'sensitive personal data' within the meaning of the Data Protection Act 1998, for example special requirement data relating to diets, disability or health. This information will be required by us only to act in your interest and cater for your needs when your booking with us includes a pre-booked meal and we will accept this sensitive Personal Data only on the condition that
· we have your positive consent to provide such information to the supplier for the meal services or
· in case of an emergency when you are on holiday and it may be necessary to share this information with e. g. our insurers or advisors.
2. OWNER OF YOUR PERSONAL DATA
All (Personal) Data collected through the Websites and our office are owned by us. The operation and hosting of the Websites and operation and hosting of other software used in our office may be outsourced. Nevertheless a third party will not have any right or any ownership interest to use the personal information apart from the operation of the Websites and other softwares.
3. COLLECTING OF YOUR PERSONAL DATA
3.1. Information we may collect from you and why we collect it
3.1.1. We (may) collect Personal Data about you from you when you contact us with an enquiry or in response to a communication from us, in which case, this may tell us something about how you use our services. This Personal Data may include your contact details (name, address, telephone number and email address), Characteristics (such as gender, language, nationality), travel preferences, special needs/disabilities/dietary requirements, pick-up and drop-off information and any information about other persons on your booking (“your information”)
You may provide us with this information through our website or via email, phone or through other off-line means.
If you contact us, we may keep a record of your email(s) or other correspondence.
4. TYPE OF COLLECTED PERSONAL DATA
4.1. We collect title, fore- and surname, address, phone number, email address and if you are a business client we collect also your company’s name and contact information. We may also collect feedback and comments received from you in relation to our provided service and dietary requirements/food allergies. In case we have to make a refund to you due to e.g. overpayment or (part) cancellation of your contract with us we have to ask for your bank details in order or process the refund. From our websites Jimdo may collect IP-address and actions taken on the site only for generic statist purposes (see clause 13. and 14.).
5. USAGE OF YOUR PERSONAL DATA
5.1. Personal Data about you is an important part of our business and we shall only use your Personal Data for the purposes set out below and in
our registration with the Office of the Information Commissioner. We shall not keep such Personal Data longer than is necessary to fulfil
these purposes. Please note that we can’t provide you with our services in case we don’t receive all required Personal Data at the requested time.
We use your personal data
5.1.1. To help us to
· reply to web forms you have completed on our website www.carus-travel.com
· identify you when you contact us and to understand your needs, arrange and provide you with the service you have requested. We also use it to advise you of information concerning your holiday booking, enquiry or other transaction.
· follow up on requests (e. g. emails, phone).
5.1.2. In some cases we may also need to collect sensitive personal data such as information concerning medical conditions, disabilities and special requirements, if you made us aware of such conditions in order to be able to consider your particular needs in relation to a booking and to evaluate if we and our suppliers are able to accommodate your request.
5.1.3. In order to
· perform contractual obligations such as a booking confirmation, invoice, reminders, and similar.
· process your booking and to make certain that your travel arrangements run well and meet your needs. In order to do so we must pass some of the provided Personal Data on to the relevant suppliers of your travel arrangements (e. g. hotels, transport companies, event organising companies, catering companies, third-party partners). Our suppliers require some personal information prior to your arrival in order to be able to provide you with the arrangements you have requested through/booked with us. They are only permitted to use the information in connection with the delivery or administration of our service.
In most cases this will only be your title, initial/forename and surname – which wouldn’t allow them to identify you without any further personal information (e g. full address, telephone number and e-mail address). In case your booking includes
If pre-ordered meals are part of the package you book with us our suppliers (e.g. hotel, catering companies, event organising companies) require notice of any dietary requirements/food allergies prior to the service date. In such cases we contact you and ask you if our suppliers have to be notified of any dietary requirements/food allergies.
· notify you about any disruptions to your booked services.
5.1.4. To provide you with the 100% financial protection (Stand Alone Safe Seat Plane Guarantee Certificate ) for the payments you have made - which you have a right to receive under European Package Travel Regulation -. In order to be able to do so we have to pass on Personal Data to the Travel Trust Association of whom we are a member (membership number U9905, you can verify our membership through the following website https://www.thetravelnetworkgroup.co.uk/verify_member).
5.1.5. For our cloud based bookkeeping /accounting system.
5.1.6. To help us to identify services which you could have from us or selected partners from time to time.
5.1.7. To allow us to carry out marketing analysis, conduct research, management reporting.
5.1.8. To help to prevent and detect fraud or loss.
5.1.9. To handle complaints.
5.2. We will not
· pass any information on to any person who is not responsible for part of your travel arrangements. This applies to any sensitive information that you give to us as well.
· share data with third parties for marketing purposes.
5.3. We may allow other people and organisations to use Personal Data we hold about you in the following circumstances:
5.3.1. If we, or substantially all of our assets or capital stock, are acquired or are in the process of being acquired by a third party or in the event of bankruptcy, in which case Personal Data held by us, about our customers, will be one of the transferred assets.
5.3.2. If we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceedings or debt collection.
5.3.3. We can disclose any information about you to private entities, law enforcement or other government officials if we in the unlikely event need to investigate or resolve possible problems or inquiries. The decision to do so is in our sole discretion if we believe it necessary or appropriate. This may also include the disclosure to regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.
5.3.5. In connection with any transaction/service which we enter into with you, if you provide false or inaccurate information to us and we suspect fraud, we will record this and may share it with other people and organisations.
5.3.6. For a variety of purposes (e. g. operating, business management, reviews , enhancing our Web Site and/or our services) we also use personal information on an aggregated basis.
6. PROTECTING OF YOUR PERSONAL DATA
We have taken all reasonable steps and have in place appropriate security measures to protect your information.
6.1. We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input and firewalls. Regarding Security measures see also clause 13. Third party services.
6.2. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable customer information.
6.3. However, perfect security does not exist on the Internet. Please remember that communications over the Internet, such as emails and webmails (messages sent through a website), are not secure unless they have been encrypted. Your communications may go through a number of countries before they are delivered - this is the nature of the Internet. We cannot accept responsibility for any unauthorised access or loss of Personal Data that is beyond our control.
7. DURATION OF STORAGE OF PERSONAL DATA
Your Personal Data will be stored by us for as long as we find it necessary to fulfill the purpose for which your Personal Data has been collected and also to comply with legal requirements under applicable laws, to attend to any legal claims/complaints and for safeguarding purposes (e.g. when you book a travel arrangement with us we will keep your personal data for 6 years from the end of the financial year the travel arrangement has been concluded). While doing so we will also consider our need to answer your queries or resolve possible problems. Your Personal Data will therefore be stored for a reasonable period of time after your last interaction with us.
8. CONTROLLING THE COLLECTION, USE AND DISTRIBUTION OF YOUR PERSONAL DATA
8.1. By following the instructions stated below in no. 9. you can control the content of the personal information we have collected from you.
8.2. Different rules may be relevant to the use or disclosure of your personal information if you give any information on your own or directly to parties who provide services connected with our Sites. We advise you ask questions before disclosing information to third parties.
8.3. Although your privacy is very important to us, we cannot fully ensure that the Personal Data you provide will not be unlawfully intercepted by third-parties.
9. CORRECTING, UPDATING AND DELETING OF YOUR PERSONAL DATA
At any point while we are in possession of or processing your personal data, you have the following rights:
a. Right of access – you have the right to request a copy of the information that we hold about you. You can do this by emailing us at firstname.lastname@example.org or writing to us at the address noted above.
b. Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete. We aim to keep the Personal Data we hold about you accurate and up to date. Please email us at email@example.com or write to us at the office address noted above in order to update or delete your Personal Data.
c. Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records. Once you have informed us that you would like your Personal Data deleted, we cannot use these Data in the future nor can we disclose them to third parties nor will you able to receive future services from us until we receive again an booking enquiry/request and therefore consent from you to use your Personal Data again. Under certain circumstances, deletion may be precluded by statutory provisions, in particular with regard to accounting, accounting purposes and/or archival purposes. In this case we only use your date for the above mentioned purposes.
d. Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
e. Right of portability – you have the right to have the data we hold about you transferred to another company/organisation.
f. Right to object – you have the right to object to certain types of processing such as direct marketing.
g. Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
h. Right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 15. below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
10. DIRECTMARKETING MATERIAL
When we intend to contact you in any way (e. g. mail, email, telephone) about products and services offered by us and selected partners (such as flyers, new tours, forthcoming events) we will give you the opportunity to tell us if you do or do not want to receive marketing information from us when we first obtain Personal Data from you, or when you take a new service or product(s) from us. As we take your privacy seriously we will only send you direct marketing when we have received consent from you to contact you for this purpose and also have received information from you how you like to be contacted (post, email, telephone).
If you have given us consent to send you direct marketing email you can of course revoke consent in sending us an email to firstname.lastname@example.org or call us under the telephone number which you can find on the homepage of our website www.carus-travel.com. Once properly notified by you, we will take steps to stop using your information in this way.
11. LINKS TO OTHER SITES
11.1. Our website may contain links to other websites. Please be aware that we do not have any control over any other website once you have used these links to leave our site. Therefore such sites are not governed by this privacy statement and we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. You should exercise caution and look at the privacy statement applicable to the website in question
11.2. We do not provide any personally identifiable customer Personal Data to third-party websites.
11.4. We exclude all liability for loss that you may incur when using these third party websites.
12. INTELLECTUAL PROPERTY
Services sold by us and Website content may be subject to copyright, trade mark or other intellectual property rights in favour of third parties. We acknowledge those rights.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
You can set your browser to not accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of website features may not function as a result.
Our website is created with Jimdo GmbH – a company based in Germany - which is a service that is offered internationally. Thus, it extends not only beyond the federal republic of Germany, but also beyond the European Union. Jimdo would prefer to use European service providers for particular services and service offerings, where such providers can deliver the required services at a comparable and competitive price and service level. However for many of the services that Jimdo uses they state that there is simply no comparable, acceptable alternative. As a result Jimdo therefore employs the use of a range of service providers outside the European Union, in particular from the USA. Jimdo take steps to ensure that measures according to European Data Protection law are taken and applied so as to guarantee an adequate level of data protection.
As some of your personal information is processed on behalf of us, we have a data processing contract with Jimdo in place. Our contract with Jimdo includes a clause that Jimdo is obliged to carry out the data processing, insofar as this deviates from section 4.1. of our contract directly on our behalf, is carried out only in the Member States of the European Union (EU) or the European Economic Area (EEA) or, in the case of processing of data in a third country, to make arrangements that allows that data are processed in a permissible manner in accordance to §§ 4b, 4c BDSG.
Jimdo uses several website analysis services based on our legitimate interests in the analysis, optimization, and economic operation of their offer and capture personal data of a visitor of a Jimdo user's website. These services are Google Analytics, Google Tag Manager. Jimdo uses Google Analytics to generate statistics for our website. The data collected is processed in a non-personally-identifying form (“anonymizeIp”).
Jimdo uses as well other services Tools which captures personal data of a customer of a Jimdo user’s website. Such services/tools are e. g.:
Purpose: Fax service for the sending and receipt of faxes. from Jimdo users as well as local and international authorities etc.
Data Category: Usage data, Inventory data, Contract data, Communication data
Data Subjects: amongst other Customers or interested parties of the Jimdo user’s website.
Purpose: A web based application for the technical delivery and management of emails or email accounts
Data Category: Usage data, Communications data
Data Subjects: amongst other customers/interested parties of the Jimdo user’s website
Purpose: Content Delivery including the delivery of Google Fonts for Jimdo websites
Data Category: Inventory data, Content data
Data Subjects: amongst other customers/interested parties of the Jimdo user’s website
Purpose: Crash/Problem Reporting
Data Subjects: amongst other visitors to the website of the Jimdo user
If you like to pay for your booked travel arrangements with a Credit Card we provide you with a hosted payment service from Worldpay. Through this hosted payment page, card processing is managed by Worldpay, therefore you can be confident that payment details are processed securely in line with PCI DSS compliance. Worldpay captures your sensitive payment information for us, helping us to reduce our security costs. Your credit card details are not stored by us and cannot be accessed by anybody within our company.
You can access Worldoays Hosted Payment Pages through our webpage „Kartenzahlungen“.
You should review Worldpays (Worldpay Limited, Worldpay (UK) Limited, Worldpay AP Limited and Worldpay BV Privacy (https://www.worldpay.com/uk/comprehensive-privacy-policy) to ensure you are happy with it.
Xero (Xero Limited, PO Box 24 537, Wellington 6142, New Zealand) is a provider of online accounting software that gives business owners and their advisors real-time visibility of a business’ financial position. The Service involves the storage of Data about a company or individual which can include personal information.
d. G Suite
G Suite (formerly Google Apps for Work and Google Apps for Your Domain) is a brand of cloud computing, productivity and collaboration tools, software and products developed by Google. G Suite comprises Gmail, Hangouts, Calendar, and Google+ for communication; Drive for storage; Docs, Sheets, Slides, Forms, and Sites for collaboration; and, depending on the plan, an Admin panel and Vault for managing users and the services. It also includes the digital interactive whiteboard Jamboard.
Being based in Google's data centers, data and information is saved instantly and then synchronized to other data centers for backup purposes.
Google operates a global infrastructure designed to provide state-of-the-art security throughout the data processing cycle. This infrastructure enables secure provision of services, secure storage of data with data protection for end users, secure communication between services, secure and private communication with customers over the Internet and secure operation by administrators. The G Suite and the Google Cloud Platform both run in such an infrastructure.
Google has structured the security of their infrastructure into layers that build on each other - from the physical security of data centers, through the security mechanisms of their hardware and software, to the processes Google follows to promote operational security. A detailed description of Google's infrastructure security can be found in their white paper "Google's Infrastructure Security Design Overview" (visit https://gsuite.google.com/security/)
Google acts as a data processor for us and we have a data processing agreement in place which contains the necessary data processing terms.
As data of our clients may be transferred to the US we would like to point out that Google LLC is certified under the Privacy Shield Agreement between the EU and the USA and the Privacy Shield Agreement between Switzerland and the USA. Googles’ certifications are included in the Privacy Shield list.
The European Commission has concluded that the EU-U.S. Privacy Shield establishes an appropriate mechanism to enable EU companies to comply with EU data protection requirements regarding the transfer of personal data from the European Union to the US.
e. Apple Products
f. Google Adwords
Based on our legitimate interests in the analysis, optimization, and economic operation of our offer we use Google Ads analytics services. Google Ads (previously Google Adwords) is an online advertising service developed by Google, where advertisers pay to display brief advertisements, service offerings, product listings, and video content within the Google ad network to web users. Google AdWords' system is based partly on cookies and partly on keywords determined by advertisers. Google uses these characteristics to place advertising copy on pages where they think it might be relevant. Advertisers pay when users divert their browsing to click on the advertising copy. The site visitor can permanently deactivate the setting of cookies for advertising preferences by installing the browser plug-in available under the following link: https://www.google.com/settings/ads/onweb/
g. Google Analytics
You can prevent the collection by Google Analytics by clicking on the link provided on our website at the bottom of the page under "Datenschutz". An opt-out cookie is set to prevent future collection of your data when you visit this website.
Use of YouTube videos
If the site visitor is logged in to Google, his data will be directly assigned to his account when he clicks on a video. If the page visitor does not wish to be assigned to his profile on YouTube, he must log out before activating the button.
Google saves its data (even for users who are not logged in) as usage profiles and evaluates them. Such an evaluation takes place in particular according to Art. 6 Abs. 1 lit.f DSGVO on the basis of the justified interests of Google in the insertion of personalised advertising, market research and/or needs-oriented organization of its web page. The site visitor has the right to object to the creation of these user profiles and must contact YouTube to exercise this right.
i. Travel Trust Association (part of The Travel Network Group Limited)
The Travel Trust Association is a travel trade association. Their members consist of travel agents, tour operators and travel organisers. It exists in order to protect you with 100% financial protection and has been doing so for over 20 years. The Travel Trust Association will protect you in the unlikely event of us becoming insolvent. Should we for any reason financially fail or cease trading, the Travel Trust Association will liaise with our suppliers to ensure that your holiday goes ahead unaffected. If for any reason this is not possible, the Travel Trust Association will administer a claim for a refund of money that you have paid to us for your holiday. Furthermore they support their members in getting appropriate insurance cover for their customer bookings. This may involve that we have to disclose personal information to them. They also process payments as a part of their internal finance function. This information will include name, address, payment details and on occasion other information such as date of birth. You could review The Travel Network Group Limited’s Pivacy Policy here https://www.thetravelnetworkgroup.co.uk/privacy-policy to ensure you are happy with it.
15. FURTHER INFORMATION
In the event that you wish to make a complaint about how your personal data is being processed by us (or third parties as described in 14. above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and our GDPR Owner.
The details for each of these contacts are:
GDPR Owner contact details:
CARUS Travel Ltd., Attn. Managing Directors, 2 South Pines, 2a Brownsea Road, Poole, BH13 7QP, UK
Tel.: +44 (0)1202 287576
Supervisory authority contact details:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, UK (https://ico.org.uk/concerns/)
17. CHANGES TO THIS POLICY