(General Data Protection Regulation)
The GDPR legislation came into force on 25th May 2018 and replaces the 1995 Data Protection Directive. GDPR governs personal data information – how it’s captured and who it’s shared with.
Personal Data Stored and Used with Consent
Achieving GDPR compliance is a company wide goal at Cottesmore. All data will be handled for the purpose for which it was entrusted. We aim to build a database of those who have given explicit consent to receive our company newsletters and offers.
Cottesmore will never sell your data to any third party.
How does Cottesmore collect data?
Where is your data stored?
Cottesmore uses four separate software systems for operational purposes.
Cottesmore’s marketing database is stored on our email database account. All email addresses held on the database have been submitted with consent for the purposes of receiving our newsletter and offers.
All four forms of software are protected by username and password to ensure data is only accessed by those authorised to handle it. Additionally, user rights within each system govern access from an internal perspective.
How does Cottesmore manage stored data?
A regular review process or data purge is conducted across the four operational software systems (ESP, Clock, Shortcuts, email database) that hold personal data. If there is no requirement to hold the data based on the original purpose for which it was retained, i.e. a one off accommodation booking or salon treatment, it will be reviewed for deleting.
How do I access my data?
We aim to conduct a highly transparent data policy whereby anyone may contact the General Manager on firstname.lastname@example.org to verify the status of any information held. It may be edited or deleted at any time. In line with GDPR regulations this will completed within 30 days.
Young Person’s data rights.
The General Data Protection Regulation proposes introducing 16 as the minimum age at which a person can join an online service without the consent of their parents. Data of those under the age of 16 will not be stored without the consent from their parents.
In the event of a data breach?
If the circumstances arise where our security measures are breached and an unlawful access to personal data is achieved we are legally required to contact those involved within 72 hours. An investigation will be launched by the Data Protection Officer immediately into the cause of the breach and how to prevent it reoccurring.
Cottesmore operates a CCTV system for security purposes and for the protection of our employees. All security cameras in operation permanently record onto a server at Cottesmore held on a secure network. The recorded footage is held for 14 days before it is automatically recorded over. Any recorded footage will be made available on request.
Card Payment Systems.
Card payment transactions are regulated under the Payment Card Industry Data Security Standard (PCI DSS) to which Cottesmore is highly committed thoroughly quarterly compliance schedules to protect card data.
PCI DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud. This is achieved through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
The payment standard has requirements which fall into the six categories below:
1.) Build and Maintain a Secure Network
2.) Protect Cardholder Data
3.) Maintain a Vulnerability Management Program
4.) Implement Strong Access Control Measures
5.) Regularly Monitor and Test Networks
6.) Maintain an Information Security Policy
Card data is only used for the intended purpose for which it was submitted. The card data is then destroyed or automatically deleted following its intended use.
Data Protection Officer.
Johnny Porter – General Manager