We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us. We seek at all times to comply with the General Data Protection Regulation (GDPR).
Who we are
Darjeeling Tours Limited, collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the GDPR which applies across the European Union (including in the UK) and we are responsible as ‘controller’ of that personal information for the purposes of the GDPR. The GDPR will be supplemented in due course by additional UK specific data protection legislation.
What personal information do we collect?
We collect personal information about you when you:
- visit our website, join a mailing or marketing list, contact us on social media or by email, complete a survey or enter a competition organised by us
- visit our office
- contract directly with us
- contract with us as a third party
You are responsible for ensuring that other members of your party are aware of the content of this notice and consent to your acting on their behalf in all your dealings with us.
Under no circumstances is debit/credit card information ever stored on our computers.
How do we collect information?
You may give us the information orally, by web form, email, telephone or by letter. You may also give information to booking agents acting on our behalf or booking agents (including family members and others) who seek to purchase a service from us.
How long do we keep your personal data?
All personal data are kept no longer than is necessary. In the case of any contract concluded with us then financial data are kept for a period of seven years from the date when the contract is completed. All other data (ie date of birth certificate, medical information) are destroyed one month following the completion of the travel contract.
In circumstances when a customer completes a document signifying consent to receive a particular service then the document is kept indefinitely unless the customer in writing withdraws the consent.
What is the lawful basis for you processing my information?
We must have a lawful basis for processing your information; this will vary on the circumstances of how and why we have your information, but typical examples include:
- the activities are within our legitimate interests as a travel company seeking to engage with and provide services to prospective and current customers, and third parties
- you have given consent for us to process your information e.g. in relation to marketing activities
- we are carrying out necessary steps in relation to a contract to which you are a party or prior to you entering into a contract, e.g. because you wish to book tickets or arrange for us to carry out a service for you
- the processing is necessary for compliance with a legal operation to which we are subject, e.g. for us to be able to comply with legal obligations imposed by statute and statutory regulation
- to protect your vital interests, e.g. if you were unfortunate enough to fall ill or suffer injury on one of our holidays.
If we process any special categories of information i.e. information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, processing of genetic biometric data for the purpose of uniquely identifying individuals, health data, or data concerning your sex life or sexual orientation, or information revealing criminal convictions or offences we must have a further lawful basis for processing. This may include:
- where you have given us your explicit consent to do so, e.g. to obtain your medical details to satisfy requirements imposed by Regulation
- where the processing is necessary to protect your vital interests or someone else’s vital interests
- you have made the information public
- the processing being necessary for the establishment, exercise or defence of legal claims
- the processing being necessary for reasons of substantial public interest
- the processing being necessary as a consequence of the arranging of relevant and necessary insurance policies
- preventing or detecting unlawful acts or dishonesty, or for safeguarding reasons.
How do we use your information?
We use the information:
• to provide information that you may require regarding the services that we offer
• to fulfil our contract with you
• to comply with our statutory and regulatory obligations
• to send you marketing communications.
Disclosure of your information
Some of the information you provide to us may be transferred to, stored and processed by third party organisations who process data on our behalf. These third parties may be based (or store or process information) in the United Kingdom, or elsewhere including outside of the European Economic Area (EEA). These third parties may include third party IT platforms (including cloud-based platforms), suppliers of administrative and support services and suppliers of other specialist products.
We may be obliged to disclose data by order of a court, by statute, or we may be permitted to disclose it under applicable data protection laws in other circumstances.
How do we protect your information?
All our computers are protected by firewalls and reputable anti-virus software to which all patches and updates are applied as soon as possible. External servers are similarly protected and provided by organisations we trust. Our computers and programmes are protected by passwords. Information in hard form is kept in locked drawers or filing cabinets.
When we transfer information to third parties to enable them to process it on our behalf, we ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and keeping it secure.
We may transfer your personal information to countries which are located outside the European Economic Area (EEA) or UK as follows:
- when using outsourced IT or other administrative support services
- where you are located outside of the EEA
- To enable us to fulfil our contractual obligations
Such countries do not always have the same data protection laws as the United Kingdom and EEA but we will ensure that where information is transferred to a country or international organisation outside of the of the UK/EEA, we will comply with the relevant legal rules governing such transfers that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.
What are cookies?
We may collect information using “cookies.” Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on our Site.
You can typically remove or reject cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings,” “help” “tools” or “edit” facility). Many browsers are set to accept cookies until you change your settings.
Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org.
If you do not accept our cookies, you may experience some inconvenience in your use of our Site. For example, we may not be able to recognise your computer or mobile device and you may need to log in every time you visit our Site.
What are your rights concerning our use of your personal information?
Under GDPR your rights include:
- Right of access. You may request to see what data we hold about you.
- Right to rectification and data quality. You may require us to correct data which are inaccurate or incomplete.
- Right to erasure including retention and disposal. The right to be ‘forgotten’. If you have had no contract with us, this can be done immediately. If you have had a contract, we must retain relevant data for seven years. Data older than this can be deleted, though we need to retain your name in our archives as a marker for past transactions.
- Right to restrict processing. In this case we can retain the data but not use it.
- Right of data portability. This does not apply as we do not process data by automatic means.
- Right to object, or to withdraw consent. You can ask us to stop sending you direct marketing communications (e.g. brochures or email newsletters). Note that an ‘unsubscribe’ request will stop future mailings, but that if you require your data to be deleted you must specifically notify us.
If you wish to exercise any of these rights, please email or write to us, and we will respond appropriately as quickly as possible. Furthermore, if you would like to discuss this policy, ask how we use your personal information, provide feedback or make a complaint please email or write to us.
Darjeeling Tours Limited
Telephone: +44 (0) 208 249 8943
You can also contact the Information Commissioner’s Office via https://ico.org.uk for information, advice or to make a complaint.
Changes to this privacy notice
This privacy notice was last updated in May 2018.
We may change this privacy notice from time to time as our business and internal practices and/or applicable laws change. We will not make any use of your personal information that is inconsistent with the original purpose(s) for which it was collected or obtained (if we intend to do so, we will notify you in advance wherever possible via our website and/or otherwise contacting you by post or email) or otherwise that is permitted by applicable law.