Home > Privacy Notice

Crossbasket Castle is aware of its obligations under the UK General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR, the types of personal data that we collect and process about our guests and web-site visitors. It also sets out how we use that information, how long we keep it for and other relevant information about your data.

Who we are

Crossbasket Castle is a data controller, meaning that it determines the processes to be used when using your personal data. Our contact details are as follows:

Crossbasket Castle
Crossbasket Estate, Stoneymeadow Road, High Blantyre, Glasgow, G72 9UE, Scotland
Email: info@crossbasketcastle.com

Data protection principles

In relation to your personal data, we will:

  • process it fairly, lawfully and in a clear, transparent way

  • collect your data only for specified and specific purposes

  • only collect the minimum information we need to meet the purpose

  • only use it in the way that we have told you about

  • ensure it is correct and up to date

  • keep your data for only as long as we need it

  • process it securely, reducing the risk of it being lost or stolen

What data we collect about you

Personal data means any information capable of identifying an individual. It does not include anonymized data. We may process certain types of personal data about you as follows:

  • Identity Data may include your first name, maiden name, last name, username, marital status, title, date of birth and gender.

  • Contact Data may include your billing address, email address and telephone numbers.

  • Financial Data may include your bank account and payment card details.

  • Transaction Data may include details about payments between us and other details of purchases made by you.

  • Technical Data may include, internet protocol addresses, browser type and version, browser plug-in types and versions, time zone setting and location, operating system and platform and other technology on the devices you use to access our website.

  • Profile Data may include bookings you have made with us in the past, your dietary requirements, preferences, feedback and survey responses.

  • Usage Data may include information about how you use our website.

  • Marketing and Communications Data may include your preferences in receiving marketing communications from us and our third parties and your communication preferences.

We may also process Aggregated Data from your personal data, but this data does not reveal your identity and as such in itself is not personal data. An example of this is where we review your Usage Data to work out the percentage of website users using a specific feature of our site. If we link the Aggregated Data with your personal data so that you can be identified from it, then it is treated as personal data.

Where we are required to collect personal data by law, or under the terms of the contract between us and you, if you do not provide us with that data when requested, we may not be able to perform the contract (for example, to deliver the Services to you). If you don’t provide us with the requested data, we may have to cancel your order of the Services. If we do, we will notify you at that time.

Why we process your data

There are 6 lawful reasons for processing personal data, which are:

  • You give consent for us to process your data

  • It is necessary to fulfil a contractual obligation with you

  • There is a regulatory obligation on us to do so

  • It is in the legitimate interest of the company to do so

  • It is in the public interest to do so

  • It is in your vital interest to do so.

How we collect your data

We collect personal data about you through a variety of different methods including:

  • Direct Interactions: You may provide data when filling in forms on the website (or otherwise) by communicating with us by post, phone, email, or otherwise, including when you:

    • Make a booking

    • Request marketing material be sent to you

    • Give us feedback

  • Automated technologies or interactions: As you use our site, we may automatically collect Technical Data about your equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar technologies. We may also receive technical data about you if you visit other websites that use our cookies. Please see our cookie policy / the cookie section of this policy for further details.

  • Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below:

    • Analytics providers such as Google based outside the EU;

    • Identity and Contact Data from publicly available sources such as LinkedIn.

We do not collect sensitive data.

Child Data

It is not our intent to process data from anyone under the age of 16. If you are aware of anyone having submitted data to us relating to an individual under the age of 16, please let us know at data@crossbasketcastle.com and will immediately stop processing and delete any personal data relating to that individual. If we become aware of having been provided data relating to an individual under the age of 16 (without parental consent) we will immediately stop processing and delete any personal data relating to that individual.

Sharing your data

Your data will be shared within the Company where it is necessary for staff to undertake their duties in provision of the Services to you.

We also share some of your data with the following third parties:

Information

To Whom

Purpose

Guest name, contact details

SimpleERB

Restaurant reservation system

Guest name, contact details

Guestline

PMS guest reservation system

Guest name, contact details

JG Collection

Appointed Sales company for Hotel (ICMI)

Guest name, contact details

Chez Roux

Appointed Restaurant Group

Guest name, contact details

ICMI Collection

Appointed Hotel management company

Guest Name, contact details

Luxury Restaurant Collection

Appointed Restaurant Membership Club

Guest Name, reservation details

Upsell Guru

Appointed pre-arrival reservation service

Guest Name, reservation details

Workmatrix

Online reservation booking engine

Guest Name, contact details

Guest Activity suppliers

Based on your request for activities during your stay, limited contact information may be given.

We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us.

Protecting your data

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data. You can link to their specific Data Privacy Polices here:

We do share your data outside the European Economic Area since we have hotels in the Caribbean, we follow binding corporate rules when moving data using a contractual arrangement with EU approved “standard contract clauses”.

How long we keep your data for

In line with data protection principles, we only keep your data for as long as necessary. Guest details are kept for 13 months otherwise requested to be deleted.

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the data we hold on you. These are:

  • the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice

  • the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request.

  • the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you can require us to correct it

  • the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it

  • the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct

  • the right to portability. You may transfer the data that we hold on you for your own purposes

  • the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests

  • the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in way that adversely affects you.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact our Data Manager data@crossbasketcastle.com

How to complain

We strive to meet the highest standards when collecting and using personal information. Complaints are taken very seriously, and data subjects are encouraged to bring any issues to our attention.

To do this write to:

The Data Protection Officer
JVR Consultancy Ltd.
635 Bath Road, Slough, Berkshire, SL1 6AE

The supervisory authority in the UK for data protection matters is the Information Commissioner’s Office (ICO). If you think your data protection rights have been abused or breached in any way by us, you are able to make a complaint to the ICO at https://ico.org.uk/concerns/.

Or by post, telephone or email:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Email: casework@ico.org.uk.