Our Privacy and Cookie Policies
Last updated: 23rd May 2018
You may be asked to provide personal data whilst you are in contact with us. Personal data is information that can be used to identify or contact you. You do not have to provide the personal data that we request, however, if you choose not to, we may not be able to provide you with the products and/or services that you have requested.
If we combine personal data with non-personal data, the combined information will be treated as personal data for as long as it remains combined. Personal data does not include data where the identity has been removed (anonymous data).
If you are booking our services on behalf of another person, you must have their consent to use their personal data.
For the purpose of the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation and the Data Protection Act 1998 (“Data Protection Legislation”), the data controller is Isles of Scilly Steamship Company Limited a company registered in England and Wales with company registration number 00165746 whose registered office is at Hugh Town, St. Marys, Isle Of Scilly TR21 0LJ. Our Data Protection Registration Number is Z1687873.
Information we may collect from you and how we use it
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Financial Data includes bank account, direct debit and payment card details (type, number, name on card, expiry date and CCV code). The financial data may be processed for the purposes of processing and delivering your order for our products and/or booking of our services (namely managing payments and charges and collecting monies). The legal basis for this processing is the performance of a contract and our legitimate interests (namely to recover debts due).
- Transaction Data includes details about any Products and Services you have ordered/booked from us. The transaction data may be processed for the purpose of processing and delivering your order or booking. The legal basis for this processing is the performance of a contract and our legitimate interests (namely our interest in the proper administration of our site, services and business).
- Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the computer, smartphone, mobile telephone or other electronic device you use to access our site. The technical data may be processed for the purpose of administering and protecting our business and our site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data), to ensure that content from our site is presented in the most effective manner for you and for your computer, smartphone, mobile telephone or other electronic device, to improve the performance and features of our site, to keep our site safe and secure. The legal basis for this processing is our legitimate interests (namely to grow our business and protect our site).
- Usage Data includes information about how you use our site (including the pages you look at and how you use them). This usage data may be processed for the purposes of support and maintenance, enabling you to complete a survey, to deliver relevant website contents and use data analytics to improve our site, marketing, customer relationships and experiences and to make suggestions and recommendations to you about Products and Services that may be of interest to you. The legal basis for this processing is the performance of a contract and our legitimate interests (namely to study how our site is used and to grow our business and to keep our site updated and relevant).
- Sensitive Data in the course of providing our services, you may give us data concerning your health, such information is considered ‘special categories of personal data’ under Data Protection Legislation. The sensitive data you give us may include your physical or mental health, medical conditions, disabilities or anything which results in reduced mobility or that may affect how we provide our services to you (for example, where we may need to provide you with special assistance). This sensitive data may be processed for the purposes of managing our relationship with you and providing our services to fulfil our obligations set out in our contract with you. The legal basis for processing is the performance of a contract, our legitimate interests and explicit consent.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences. The marketing and communications data may be processed for the purposes of sending you the relevant notifications. The legal basis for this processing is our legitimate interests and consent.
In addition to the specific purposes for which we may process your personal data set above, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation and to ensure regulatory compliance to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
We may also provide you with information about offers and services that are similar to those that you have already received or we feel may interest you. If you:
- have already concluded a contract with us, (e.g. if you have purchased Products and Services from us) we will only contact you by electronic means (e-mail or text) with information about offers and services similar to those which were the subject of a previous contract. If you do not want to be on our mailing list, you can opt out at any time by contacting us or unsubscribing by using the links provided in our electronic communications and at the point of providing your details.
- are a potential new customer (e.g. enquiring about Products or Services), we will contact you by electronic means only if you have provided your explicit consent to this. If you are happy for us to use your personal data in this way, please tick the relevant box situated on the website page/form on which we collect your details. Again, if you do not want us to use your data in this way, you can opt out at any time by contacting us or unsubscribing by using the links provided in our electronic communications.
How is your Personal Data collected
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity, Contact, Financial Data and Marketing and Communication Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- Order/book Products and Services from us, such as a Travel Pass (which will generate the Transactional Data);
- create a user account on our site;
- reserve a Service (i.e. flight or a crossing);
- contribute to or use some of the advanced features on our site and when you report a problem with our site;
- request marketing to be sent to you;
- enter a survey;
- leave a review or complete a contact form for customer service queries; or
- give us some feedback.
Automated technologies or interactions. As you interact with our site we may automatically collect Technical and Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. When you interact with our site we may also automatically collect Profile Data.
Third parties or publicly available sources. We may receive personal data about you from various third parties which include:
- Identity and Contact Data from companies within our group (the “IOS Group”);
- Identity and Contact Data from approved third party authorised agents;
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services;
- Marketing and Communication Data from advertising networks;
- Technical Data from analytics providers such as Google based outside the EU; and
- Identity and Contact Data from publicly available sources, such as social media accounts, Companies House and the Electoral Register.
Where we store your personal data
Some of the third parties which we work closely with are based outside of the European Economic Area (“EEA”) so their processing of your personal data will involve a transfer of data outside of the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
- where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe;
- where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Change of purpose
Disclosure of your information
You agree that we may disclose your information (including personal data) to the following categories of third parties:
- companies within the IOS Group for the provision of parts of our Products and Services;
- airport and port personnel for the provision of our services and performance of any contract we enter into with them or you;
- government officials for the fulfilment of our legal duties;
- suppliers, sub-contractors and Authorised Agents for the performance of any contract we enter into with them or you;
- analytics and search engine providers that assist us in the improvement and optimisation of our site; and
- marketing service providers to assist us with our electronic marketing.
Your personal data will not be shared with third parties for their marketing purposes unless you have provided your express consent. If you do not want to be contacted with third party marketing information, you can opt out at any time by contacting us.
We may disclose your personal data to third parties:
- where we have your consent to do so;
- to provide and/or improve our Products and Services;
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- If Isles of Scilly Steamship Company Limited or substantially all of our assets are acquired by a third party, in which case personal data held by us about you will be one of the transferred assets; and
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions of carriage and other agreements, or to protect the rights, property, or safety of Isles of Scilly Steamship Company Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
Under Data Protection Legislation, in certain circumstances you have the following rights in relation to your personal data:
- Right to access. You have the right to request access to information held about you. We will provide you with a copy of your personal data held by us free of charge (providing your request is not excessive or for multiple copies, in which case we may charge a reasonable fee to cover our costs) and certain information about the processing of your personal data and the source of such data (if not directly collected from you). You also have the right to request that your personal data is transferred to a third party.
- Right to object to data processing. You may withdraw your consent to the processing of your personal data at any time by contacting us. Upon receipt of your notification, we shall promptly stop any processing of your personal data and (if requested by you) erase such information if we are not required to retain it for legitimate business or legal purposes.
- Right to restrict processing. You may ask us to suspend the processing of your personal data in the following circumstances:
- if you do not think your personal data is accurate;
- where we are found to be processing unlawfully but you do not want us to erase your personal data;
- where you need us to continue holding your personal data to establish, exercise or defend legal claims; or
- you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
- Right of rectification and right of erasure. You have the right to request that we correct or erase any inaccuracies in your personal data if such information would be incomplete, inaccurate or processed unlawfully.
Where we are relying on consent to process your personal data, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
You can also exercise these rights at any time by contacting us at email@example.com. We may reject requests that are unreasonably repetitive, require disproportionate effort (for example, fundamentally changing an existing practice) or risk the privacy of others.
Our site may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Personal data retention
We may retain information about you, including personal data, for the period necessary to fulfil the purposes for which it was first collected unless a longer retention period is required or permitted by law. In determining data retention periods, we take into considerations contractual obligations, legal obligations, regulatory body requirements and the expectation and requirements of our customers. When personal data is no longer needed, we will securely delete or destroy it.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
If you have any cause for complaint about our use of your personal data, please contact us using the details provided above and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office (www.ico.org.uk).
Privacy Notice for Job Applicants
In accordance with the General Data Protection Regulation (GDPR), we have implemented this privacy notice to inform you, as prospective employees of our Company, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
- processing is fair, lawful and transparent
- data is collected for specific, explicit, and legitimate purposes
- data collected is adequate, relevant and limited to what is necessary for the purposes of processing
- data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- data is not kept for longer than is necessary for its given purpose
- data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- we comply with the relevant GDPR procedures for international transferring of personal data
TYPES OF DATA HELD
We keep several categories of personal data on our prospective employees in order to carry out effective and efficient processes. We keep this data in recruitment files relating to each vacancy and we also hold the data within our computer systems, for example, recruitment logs.
Specifically, we hold the following types of data:
- personal details such as name, address, phone numbers;
- name and contact details of your next of kin;
- your photograph;
- your gender, marital status, information of any disability you have or other medical information;
- right to work documentation;
- information on your race and religion for equality monitoring purposes;
- information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter;
- references from former employers;
- details on your education and employment history etc;
- driving licence;
- criminal convictions.
COLLECTING YOUR DATA
You provide several pieces of data to us directly during the recruitment exercise. In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies. Should you be successful in your job application, we will gather further information from you, for example, your bank details and next of kin details, once your employment begins.
LAWFUL BASIS FOR PROCESSING
The law on data protection allows us to process your data for certain reasons only. The information below categorises the types of data processing we undertake and the lawful basis we rely on.
|Activity requiring your data||Lawful basis|
|Carrying out checks in relation to your right to work in the UK||Legal obligation|
|Making reasonable adjustments for disabled employees||Legal obligation|
|Making recruitment decisions in relation to both initial and subsequent employment e.g. promotion||Our legitimate interests|
|Making decisions about salary and other benefits||Our legitimate interests|
|Making decisions about contractual benefits to provide to you||Our legitimate interests|
|Assessing training needs||Our legitimate interests|
|Dealing with legal claims made against us||Our legitimate interests|
|Preventing fraud||Our legitimate interests|
SPECIAL CATEGORIES OF DATA
Special categories of data are data relating to your:
- sex life
- sexual orientation
- ethnic origin
- political opinion
- trade union membership
- genetic and biometric data.
We carry out processing activities using special category data:
- for the purposes of equal opportunities monitoring
- to determine reasonable adjustments
Most commonly, we will process special categories of data when the following applies:
- you have given explicit consent to the processing
- we must process the data in order to carry out our legal obligations
- we must process data for reasons of substantial public interest
- you have already made the data public.
FAILURE TO PROVIDE DATA
Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract of employment with you. This could include being unable to offer you employment or administer contractual benefits.
CRIMINAL CONVICTION DATA
We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to determine your suitability, or your continued suitability for the role. We rely on the lawful basis of legitimate interests to process this data.
WHO WE SHARE YOUR DATA WITH
Employees within our company who have responsibility for recruitment will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with GDPR. Data is not shared with third parties.
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data. We do not share your data with bodies outside of the European Economic Area.
PROTECTING YOUR DATA
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.
We only keep your data for as long as we need it for, which, in relation to unsuccessful candidates, is six months to a year.
If your application is not successful and we have not sought consent or you have not provided consent upon our request to keep your data for the purpose of future suitable job vacancies, we will keep your data for six months once the recruitment exercise ends.
If we have sought your consent to keep your data on file for future job vacancies, and you have provided consent, we will keep your data for nine months once the recruitment exercise ends. At the end of this period, we will delete or destroy your data, unless you have already withdrawn your consent to our processing of your data in which case it will be deleted or destroyed upon your withdrawal of consent.
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data and there will be no consequences of withdrawing consent.
If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees, which will be provided to you.
AUTOMATED DECISION MAKING
Automated decision making means making decision about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
You have the following rights in relation to the personal data we hold on you:
- the right to be informed about the data we hold on you and what we do with it;
- the right of access to the data we hold on you. We operate a separate Subject Access Request policy and all such requests will be dealt with accordingly;
- the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
- the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
- the right to restrict the processing of the data;
- the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
- the right to object to the inclusion of any information;
- the right to regulate any automated decision-making and profiling of personal data.
In addition to the above rights, you also have the unrestricted right to withdraw consent, that you have previously provided, to our processing of your data at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
If you wish to exercise any of the rights explained above, please contact the Human Resources Manager.
MAKING A COMPLAINT
If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
DATA PROTECTION COMPLIANCE
Our Data Protection Officer is Stuart Reid, Chief Operating Officer
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
You may block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
We may use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to log into secure areas of our site.
- Performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting cookies. These cookies record your visit to our sites, the pages you have visited and the links you have followed. We will use this information to make our site more relevant to your interests. We may also share this information with third parties for this purpose.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
|wp-settings-1||This cookie is used to customise the admin interface of the website and possibly the main site interface.||1 year|
|wp-settings-time-1||This cookie is used to customise the admin interface of the website and possibly the main site interface.||1 year|
|_ga||We use this to distinguish our sites unique users by allocating a randomly generated number as a client ID. It allows Google Analytics to track and analyse visitor information such as visits, average time on site, referral location etc.||2 years|
|_gat||This cookie is typically written to the browser upon the first visit. If the cookie has been deleted by the browser operator, and the browser subsequently visits the website, a new _gat cookie is written with a different unique ID. In most cases, this cookie is used to determine unique visitors to the website and it is updated with each page view. Additionally, this cookie is provided with a unique ID that Google Analytics uses to ensure both the validity and accessibility of the cookie as an extra security measure.
|_gid||Used to distinguish our users.||24 hours|
|_dc_gtm_UA*||Set by Google Tag Manager to pass data to Double Click and Google Analytics.
|dpr||Allows control over the “Follow us on Facebook” and “Like” buttons.
|fr||Encrypted Facebook ID and Browser ID used for advertising purposes.
|wd||Keeps track of the first and last Facebook page visited by the user and the inner dimensions of the browser window respectively.
|1P_JAR||Google advertising cookie used for user tracking and ad targeting purposes.
|AID, APISID, HSID, NID, SAPISID, SID, SIDCC and SSID||Used to link activity across devices if a user has previously signed in to a Google Account on another device. This is to coordinate the ads seen across devices and measure conversion events. These cookies may be set on the domains google.com/ads, google.co.uk/ads, google.com/ads/measurement or googleadservices.com.
|End of session|
|CONSENT and GMAIL_RTT||Used by Google Maps and Gmail|