Who we are

Oykel Bridge Hotel Limited (we/us) is a company registered in Scotland under company registration number SC413078 and having its registered office address at Estate Office Old Bank Buildings, Lairg Road, Bonar Bridge, Sutherland, IV24 3EA.

We do not have a Data Protection Officer.

Interpretation

The following definitions apply in this document:

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Subject a natural person who is identified by or identifiable from Personal Data.

GDPR the General Data Protection Regulation (2016/679), which is available at: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679.

Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Special Categories of Personal Data Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

This document

This Privacy Notice takes effect from 25 May 2018. It is directed to all natural persons whose Personal Data we process other than our officers, employees, workers and volunteers. It applies to candidates for employment with us. This Privacy Notice applies to Personal Data collected by whatever means including without limit through our websites. It sets out information about how we collect Personal Data, the categories of Personal Data we collect, the purpose for which we process Personal Data, the legal basis for this processing, our legitimate interests in processing, how we share Personal Data and the rights of Data Subjects whose Personal Data we process.

On occasion we may also provide more detailed processing information to a Data Subject in a separate privacy notice. Where we do so, that information will prevail over the information in this document.

This Privacy Notice is published on our website at https://oykelbridgehotel.com and may be updated from time to time. Please check this page for the latest version of our Privacy Notice each time you provide Personal Data to us.

Our status

We are the Controller in relation to all Personal Data which we collect.

How we collect Personal Data

We collect Personal Data in the following main ways:

  • Using website contact forms, emails and correspondence sent to us
  • When taking bookings by telephone, in person or by email
  • Using guest registration forms
  • Using video surveillance cameras
  • Automatically using cookies on our website (see our separate cookie notice for further information)

Categories of Data Subject

We collect Personal Data in relation to the following categories of Data Subject:

  • Guests in our hotel
  • Business contacts
  • Suppliers and their representatives
  • Visitors to our website
  • Visitors to our premises
  • People who make enquiries with us
  • Delegates at events we are hosting
  • Shareholders in our company
  • Candidates applying for employment with us

Types of Personal Data we Process

We process the following main types of Personal Data:

  • Names, addresses, email addresses and telephone numbers (Contact Data)
  • The nationality of hotel guests. Numbers and places of issue of passports of hotel guests who are not commonwealth citizens, British protected citizens nor citizens of the Republic of Ireland as well as the next destination of such persons and their address their if known. (Registration Data)
  • Entries in our register of members and register of persons with significant control (Shareholder Data)
  • Records of our sale and purchase of goods and/or services (Services Data)
  • CCTV footage (Surveillance Data)
  • Vehicle registration numbers (Motor Vehicle Data)
  • Payment card information, sort code and bank account numbers (Financial Data)
  • Job title, employer, work history and qualifications (Career Data)
  • Information relating to your marketing preferences (Marketing Data)

We process the following Special Categories of Personal Data:

  • Health information relating to incidents occurring at our premises (Health and Safety Data)

We collect or may collect online identifiers at our website which may be considered to be Personal Data such as IP addresses (Website Technical Data).

When the provision of Personal Data is a statutory requirement or a requirement necessary to enter into a contract

If you are aged over 16 years and are a guest in our accommodation, you are required by law to provide us with your full name and nationality upon arrival.

If you are not a Commonwealth citizen, British protected person nor a citizen of the Republic of Ireland you are additionally required by law, on arrival, to provide us with the number and place of issue of your passport (or other document establishing your identity and nationality) and before you leave, your next destination and if known, your full address there.

It is a requirement before entering into any contract for the provision of services other than food and drink purchased in our bar or restaurant to provide us with your name and address and if payment is required at the time the contract is entered into, your payment card information.

If you do not provide us with your Personal Data in the above circumstances, we will be unable to provide our services to you.

Purpose of processing

We process or may process Personal Data for the following main purposes:

Purpose Brief details of the Personal Data affected
 
To provide services and process payments Contact Data relating to our customers and their representatives; Services Data; Financial Data; Motor Vehicle Data
 
To receive the benefit of services and to monitor service levels Contact Data relating to our suppliers and their representatives; Services Data
 
For credit control, record-keeping, complaints management and other administrative purposes Contact Data; Services Data; Shareholder Data
 
To defend legal claims which may be made against us or our officers, employees or workers All Personal Data we process
 
To comply with legal and regulatory obligations including under companies legislation, tax legislation, The Immigration (Hotel Records) Order 1972, the GDPR, Reporting of Injury, Disease and Dangerous Occurrences Regulations 2013 (RIDDOR) and criminal evidence legislation Contact Data; Services Data; Surveillance Data; Financial Data; Shareholder Data; Health and Safety Data; Marketing Data
 
To safeguard our assets and people using our premises Surveillance Data
 
For relationship management and direct marketing purposes Contact Data; Services Data; Marketing Data
 
To ensure the continuity of our business following a reorganisation or transfer to a successor All Personal Data we process
 
To assess the suitability of candidates for employment with us Career Data
 

We process or may process Website Technical Information for the purpose of for the purpose of analysing the use of our website. We will not process Website Technical Information for the purpose of identify you. We may use Google Analytics, in which case Google will process Website Technical Information in accordance with their privacy notice available at:

https://policies.google.com/privacy/partners?hl=en-GB&gl=uk

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the Contact Data at the end of this document.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Lawful basis for processing

We only process Personal Data where we have a lawful basis for doing so.

Personal Data other than Special Categories of Personal Data

In some cases we will be required to process your Personal Data in order to comply with a legal obligation and/or to perform or conclude a contract between us.

We process email addresses for the purposes of sending electronic marketing communications on the basis of consent if you are an individual (including sole traders and members of unincorporated organisations) and we did not collect your Personal Data in connection with a sale or negotiation for the sale of a service to you.

We also process Personal Data on the basis of our legitimate interests. Our legitimate interests in processing your Personal Data are set out below.

Legitimate interest Brief details of the Personal Data affected
 
Providing our services and processing payments Contact Data; Services Data; Financial Data; Motor Vehicle Data
 
Receiving the benefit of services and monitoring service levels Contact Data relating to our suppliers and their representatives; Services Data
 
Carrying out credit control, record-keeping, complaints management and other administrative actions Contact Data; Services Data; Shareholder Data
 
Defending legal claims which may be made against us or our officers, employees or workers All Personal Data we process
 
Safeguarding our assets and people using our premises Surveillance Data
 
Relationship management and direct marketing purposes Contact Data; Services Data; Marketing Data
 
Ensuring the continuity of our business following a reorganisation or transfer to a successor All Personal Data we process
 

Special Categories of Personal Data

We process Special Categories of Personal Data on the following bases:

Lawful basis Brief details of the Personal Data affected
 
To comply with social security law; to defend against legal claims Health and Safety Data
 

Retention of information

We will only retain Personal Data for as long as it is necessary to hold the Personal data for any of the purposes for which it is processed and will delete or anonymise the information (so far as this is technically possible using our systems) within the timescales set out below.

Services Data; Contact Data stored for administrative purposes When it no longer needs to be retained under applicable tax legislation, unless the information is required to be preserved for evidential purposes in connection with any claim, potential claim or investigation
 
Contact Data stored for marketing purposes; Marketing Data Five years from last use or five years from unsubscribe (in which case it will only be retained for the purpose of keeping a record that you have suppressed the use of your data)
 
Health and Safety Data The longer of the statutory period and 80 years from the date of the incident
 
Surveillance Data 14 days, or such longer period as it may be required for evidential purposes
 
Registration Data The period required by law
 
Motor Vehicle Data On expiry of a fishing lease
 
Candidate Data This will be processed in accordance with our HR Privacy Notice if a candidate is successful. The personal data of an unsuccessful candidate will not be retained for more than 12 months.
 

Transfers outside of the European Economic Area (EEA)

We may transfer Personal Data outside of the EEA where this is necessary for the conclusion or performance of our contract with you or is a step preparatory to entering into a contract with you and is taken at your request or, if you are a representative of a customer or supplier, if the transfer is necessary for the performance of our contract with a third party which is in your interests.

We may also transfer Personal Data outwith the EEA to:

  • Countries which have been deemed to provide an adequate level of protection for Personal Data by the European Commission.
  • Countries outside of the EEA, on the basis of specific contractual clauses which have been approved by the European Commission which give Personal Data the same protection it has in EEA.
  • To providers of IT services in the United States which are part of the Privacy Shield, which requires them to provide similar protection to Personal Data shared between the EEA and the US as it has in the EEA.
  • Where this is otherwise lawful under the GDPR.

Recipients of Personal Data

We transfer or may transfer Personal Data to the following recipients:

Recipient or category of recipient Brief details of the Personal Data affected
 
Our officers and employees All of the Personal Data we process
 
Providers of services to us, including without limit our IT service providers; our professional advisers; our self-employed consultants; All of the Personal Data we process
 
Courts and tribunals All of the Personal Data we process
 
Law enforcement agencies and tax authorities All of the Personal Data we process
 
Companies House and to individuals exercising rights of access under the Companies Act 2006 Shareholder Data
 

We transfer or may transfer Website Technical Data to providers of website analytical services.

Your legal rights

You have the right to:

Request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Complain to complain to the supervisory authority in connection with our processing of your personal data. You can exercise this right by contacting the Office of the Information Commissioner at https://ico.org.uk/.

Security

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know.

Our websites may contain links to other websites of interest. However, once you have used one of these links to leave our website, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Notice. You should exercise caution and look at the privacy notice applicable to the website in question.

Contact us

If you have any questions about our processing of Personal Data or would like to exercise one of your legal rights, please contact: The Company Secretary, Estate Office Old Bank Buildings, Lairg Road, Bonar Bridge, Sutherland, IV24 3EA.

Guidance on data protection law is available from the office of the Information Commissioner at https://ico.org.uk/.