Privacy Policy
British Tourist Authority - Privacy Policy
This privacy policy (“Policy”) was last updated on 1 August 2018.
Introduction
The British Tourist Authority (“BTA”, “we”, “us” or “our”), a statutory body incorporated under the Development of Tourism Act 1969, with its offices at 3 Grosvenor Gardens, London, SW1W 0BD.
We undertake our statutory duties to promote tourism to and within Great Britain and England under the brands “VisitBritain” and “VisitEngland”.
BTA is the data controller in connection with any personal information collected or received by us arising from your use of any of our products, services, applications, websites (including any e-commerce stores) and customer support communications.
This Policy explains the types of information that we may collect and hold, how that information is used and with whom the data is shared. It also sets out how you can contact us if you have any queries or concerns about this information.
We reserve the right to make changes to this Policy at any time and we may notify you of changes to this policy by email or through the private messaging system on our website. Your continued use of our products, applications, services and websites that are subject to this Policy will signify your acceptance of any and all changes to this Policy made by us from time to time and you should check this page occasionally to ensure you are happy with any changes to this Policy.
We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out at the bottom of this Policy.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Third Party Links
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Contents
1. Information we collect
2. How we collect your information
3. How we use your personal information
4. Sharing your personal information
5. International transfers of your information
6. Security of your personal information
7. Cookies
8. Retaining and deleting personal data
9. Access to your information and your rights
10. Our details
11. Data protection officer
1. Information that we collect
We may collect, use, store and transfer information about you in several different ways and this information may be classified in different categories. Please take care when submitting information to us, particularly when completing free text fields or uploading content, documents and other materials. Some of our services may be automated and we may not recognise that you have accidentally provided us with incorrect or sensitive information.
1.1 Information that you provide to us
Whenever you interact with us, you may be asked to provide us with information relating to you. The following types of data may be collected from you:
1.1.1. Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
1.1.2. Contact Data includes billing address, delivery address, email address and telephone numbers.
1.1.3. Financial Data includes bank account and payment card details.
1.1.4. Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us and may include applicable device ID (s) relating to your particular product(s), delivery date and place of purchase.
1.1.5.Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
1.1.6. Enquiry Data includes data you provided us with when you contact us for customer service assistance (by any means of communication including written communications or via our website(s), support forums, telephone, email, SMS, or our social media channels) or when you visit us at a public event, such as a trade show or exhibition or participate in one of our surveys, competitions or prize draws, we may record all customer service communications and keep information about the particular communication, including your name, the product(s) you bought, the reason why you contacted us, and the advice we gave you so we can track the resolution of any customer service issues and for customer service training purposes.
1.1.7. Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses. We may also receive content that you choose to upload or post, such as your name, address, telephone number, email address, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details and employment details, product reviews, comments, photos and forum posts, or details of your interests and preferences that you choose to tell us about when, for example, selecting the services that you wish to receive.
1.1.8. Usage Data includes information about how you use our website, products and services, as well as the frequency and pattern of your service use.
1.1.9. Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Aggregated Data
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.
2. How we collect your information
2.1. We use different methods to collect data from and about you including through:
2.1.1. Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
2.1.1.1. apply for our products or services;
2.1.1.2. create an account on our website;
2.1.1.3. subscribe to our service or publications;
2.1.1.4. request marketing to be sent to you;
2.1.1.5. enter a competition, promotion or completing a survey; or
2.1.1.6. give us some feedback.
2.1.2. Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies, this Technical Data may include:
a) Details of your usage patterns, the content (including any advertisements) that you view and interact with including information on the services and applications you are using in-device to personalise services to your specific needs. For example, when you use our websites, we may collect information about your visit, such as your browser software, which pages you view and which items you ‘clicked’ on or added to your shopping basket.
b) Service, product or server logs, which hold technical information about your use of our service, product or websites, such as your IP address, device ID(s), domain, device and application settings, errors and hardware activity. We may use your IP address to determine your location/country of origin.
c) Device Information such as your device ID(s), including information about where your device is physically located. For example, when you are using a geo-location service or application and you have given consent to your location being shared.
d) Interests and preferences that you specify during set up or registration of any product or service.
2.1.3. Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
2.1.3.1. Financial and Technical Data from parties such as:
a) analytics providers based outside the EU;
b) advertising networks based inside the EU; and
c) search information providers based outside the EU.
2.1.3.2. Contact, Financial and Transaction Data from providers of technical, payment and delivery services based outside and inside the EU.
2.1.3.3. Identity and Contact Data from data aggregators and other specialist agencies based inside or outside the EU.
2.1.3.4. Identity and Contact Data from publicly availably sources such as Companies House and the Electoral Register based inside the EU.
2.1.3.5. Identity and Contact Data from social media if you (i) interact with any of our social network pages or applications; or (ii) you use one of our products or services that allow interaction with social networks, we may receive information relating to your social network accounts. For instance:
2.1.3.5.1 Logging in: If you log-in to one of our websites, applications or services using your social network account, we may receive basic details from your social network profile. The basic details we receive may depend on your social network account privacy settings; however, they might include your social network ID, name, profile picture, gender and location.
2.1.3.5.2. Interactions: If you click on a ‘like’, ‘+1’ or ‘tweet’ or similar button in one of our websites or services, we may record the fact that you have done so. In addition, the content that you are viewing may be posted to your social network profile or feed. We may receive information about further interactions with this posted content (for example, if your contacts click on a link in the posted content), which we may associate with the details that we store about you.
3. How we use your personal information
We will only use your personal data to the extent permitted by the law. We may use the personal information you provide to us or which we collect for the following range of purposes, including:
Purpose/Activity
|
Type of data
|
Lawful basis for processing including basis of legitimate interest
|
---|---|---|
To register you as a new customer
|
(a) Identity (b) Contact
|
Performance of a contract with you
|
To process and deliver your order including: (a) Manage payments, fees and charges; and (b) Collect and recover money owed to us; and (c) Provide you with a product or service you have requested (including any back-up and restore service), delivering your purchase to you or ensuring that you benefit from any relevant special offer or promotion (and to fulfil our obligations under any other agreement we may have with you) |
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications
|
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)
|
To provide you with checkout assistance when you use our applications and services (including any online e-commerce stores). If you do not complete your purchase, we may contact you using these details to offer our assistance (in case, for instance, you were experiencing technical difficulties that prevented you from completing a transaction) |
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications
|
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to ensure that the products/services are delivered to you and to maintain our e-commerce stores error free)
|
To manage our relationship with you which will include: (a) Notifying you about changes to our terms and conditions or Policy (b) Asking you to leave a review or take a survey
|
(a) Identity (b) Contact (c) Profile (d) Marketing and Communications
|
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated; and to study how customers use our products/services; and for research purposes)
|
To enable you to partake in a prize draw, competition or complete a survey
|
(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Financial
|
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services and to develop them)
|
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
|
(a) Identity (b) Contact (c) Technical
|
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
|
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
|
(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical
|
Necessary for our legitimate interests (to study how customers use our products/services, to develop such products/services, to grow our business and to inform our marketing strategy)
|
To use data analytics to improve and enhance our existing products, services and applications and develop new offerings, recommendations, advertisements and other communications and learn more about customers’ shopping preferences in general.
|
(a) Technical (b) Usage
|
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
|
To make suggestions and recommendations to you about goods or services that may be of interest to you, including carrying out surveys to better understand your preferences.
|
(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile
|
Necessary for our legitimate interests (to develop our products and services)
|
To prevent fraud and for investigation purposes, for example, using device information such as device ID(s) to ensure that any vouchers or discounts relating to any promotions or campaigns are not being redeemed fraudulently, checking that a payment is not made fraudulently. |
(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Financial
|
Necessary to comply with a legal obligation
|
To create and manage customer database(s). As part of our ongoing customer relationship management activities, we may consolidate several databases into one or otherwise link separate databases to more effectively manage your accounts. Information may be linked via a unique identifier, such as a cookie or account number. Alternatively, we may decide to combine two or more databases into a single database of customer information.
|
(c) Financial (d) Transaction (e) Technical (f) Enquiry (g) Profile (h) Usage (i) Marketing and Communications |
Necessary for our legitimate interests (to ensure that we have optimal data management practices in place) |
To consider employing you if you contact us via one of job application areas or pages of our websites.
|
(a) Identity (b) Contact
|
Necessary for our legitimate interests (to ensure that we employ high performing staff and to ensure an optimal performance of our business operations)
|
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the details set out at the bottom of this Policy.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
3.1 General
We may also use information we collect for the following general purposes:
3.1.1. Marketing communications
3.1.1.1. We may use your Identity, Contact, Technical, Usage and Profile Data to provide you with product and service updates, newsletters and other communications about existing and/or new products and services by post, email, telephone, in-device messaging and/or text message (SMS).
3.1.1.2. You will only receive marketing communications from us (i) if you have requested information from us; or (ii) purchased goods or services from us; or (iii) if you provided us with your details when you entered a competition or registered for a promotion and, in each case, if you have opted in for receiving such marketing.
3.1.1.3 We will get your express opt-in consent before we share your personal data with any third party company for marketing purposes.
3.1.2. Opting out of marketing communications
3.1.2.1. You can ask us or third parties to stop sending you marketing messages at any time by clicking the "unsubscribe" button at the bottom of the emails or by contacting us or such third parties at any time.
3.1.2.2. Where you opt out of receiving these marketing messages, such opt out will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.
Please note that we may occasionally send you important information (including via email) about our products and services that you are using or have used including essential software updates, changes to applicable terms and conditions and/or other communications or notifications as may be required to fulfil our legal and contractual obligations to provide warranty or after sales repair services. These important product and/or service communications are not affected by your opt-out of any marketing communications.
3.2 Publish your reviews, comments and content
Where you have uploaded product reviews, comments or content to our websites or services and made them publicly visible, we may link to, publish or publicise these materials elsewhere including in our own advertisements.
3.3 Forums
Each time you create or reply to a post or thread on a website forum from us, in addition to providing this forum service, we may also record the forum name and the time and date of your post or thread with your account details. We do this to better understand the ‘typical users’ of our forums and to select or tailor our marketing communications to reflect your forum activity. We do not use the actual content of your forum posts or threads for purposes of sending marketing communications.
4. Sharing your personal information
We may have to share your personal data with the third parties set out below for the purposes set out in the table in paragraph 3 above.
(a) our payment services providers for services relating to our website and services to which you have subscribed to which may be handled by our payment services providers, such as, without limitation, Worldpay. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers' privacy policies and practices at https://www.worldpay.com/uk/privacy-policy.
(b) one or more of the selected third party suppliers of goods and services identified on our website to which you have specifically consented to share your personal data with for the purposes set out in such consent or to fulfill our contractual obligations. Each such third party will act as a data controller in relation to the data that we supply to it; and upon contacting you, each such third party will supply to you a copy of its own privacy policy, which will govern that third party's use of your personal data.
(c) our authorised data processors and service providers for the purposes of providing certain data processing services for us (acting as our authorised data processors). Examples of authorised data processors could include evaluation and research agencies, billing and fulfilment partners, data analytics providers who process information on our behalf for the purposes outlined above. For example, we may use the services of third parties to personalise content, fulfil orders, deliver packages, send postal mail and emails, send text messages (SMS), provide marketing assistance, process credit card payments, provide fraud checking services and provide customer services. When acting as our authorised data processors, our service providers are required to only process data in accordance with our instructions, in line with this Policy, and are subject to appropriate confidentiality and security obligations.
(d) our professional advisers insofar as reasonably necessary for the purposes of managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
(e) to government bodies such as the Department for Digital, Culture, Media & Sport and law enforcement agencies to prevent fraud, to comply with applicable laws, regulations and court orders and to comply with valid legal information requests from such bodies.
Anonymous statistics
We prepare anonymous, aggregate or generic data (including “generic” statistics) for a number of purposes as outlined above. As we consider that you cannot reasonably be identified from this information, we may share it with any third party (such as our partners, advertisers, industry bodies, the media and/or the general public).
5. International transfers of your information
5.1. In this paragraph, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).
5.2. The British Tourist Authority is a statutory body incorporated under the Development of Tourism Act 1969 with its headquarters based in London, England. We have an international network of offices to assist in delivering our core function of promoting the development of tourism to and within Great Britain and encouraging people to visit Great Britain. As such we are a global organisation.
5.3. The hosting facilities for our website(s) are situated in Ireland and the United Kingdom (except for any region-specific websites, such as, without limitation, China).
5.4. Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
5.5. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
5.5.1. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
5.5.2. Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
5.5.3. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
5.6. Please contact us using the details set out at the bottom of this Policy if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
6. Security of your personal information
While we cannot guarantee that unauthorised access will never occur, we can assure you that we take great care in maintaining the security of your personal data to prevent unauthorised access to it, through the use of appropriate technology and internal procedures.
6.1. What we do to protect your information
We take a number of steps to protect your information from unauthorised access, use or alteration and unlawful destruction, including where appropriate:
6.1.1. Using Secure Sockets Layer (SSL) encryption when collecting or transferring sensitive information, such as credit card details (SSL encryption is designed to make the data unreadable by anyone but us).
6.1.2. Limiting access to the information we collect about you (for instance, only those of our personnel who need your information to carry out our business activities are allowed access).
6.1.3. Putting in place physical, electronic, and procedural safeguards in line with industry standards.
6.2. What you should do to protect your information
As general best practice on the Internet, it is recommended that individuals take great care with user accounts, and follow some basic rules:
6.1.1. Do not use trivial passwords (such as single dictionary words).
6.1.2. Do not use the same password for multiple accounts.
6.1.3. Do use very long passwords (at least 10 characters, but preferably much longer)
6.1.4. Do use passwords which contain a combination of upper and lower case letters, numbers and special characters e.g. $%^& etc.
6.1.5. Do keep passwords securely (never written down, or shared with anyone) and changed periodically.
7. Cookies
7.1. Our websites use industry-wide technologies, such as “cookies”, to collect information about the use of our websites and email communications. For instance, these technologies may tell us which visitors clicked on key elements (such as links or graphics) on a website or email and recognise your browser the next time you visit our websites.
7.2. Cookies allow us to customise your experience to better match your interests and preferences, or to simply facilitate your signing in to use the services. Most browsers will allow you to erase cookies from your computer hard drive, block acceptance of cookies or receive a warning before a cookie is stored. However, if you block or erase cookies, we may not be able to restore any preferences or customisation settings you have previously specified, and our ability to personalise your online experience would be limited. Please refer to your browser instructions to learn more about these functions.
7.3. More information about our use of cookies can be found in our Cookies Policy.
8. Retaining and deleting personal data
8.1. This paragraph 8 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
8.2. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
8.3. Subject to paragraphs 8.4 and 8.5 below, we will retain your personal data as follows:
(a) personal data categories will usually be retained for a maximum period of 24 months following receipt unless such data is updated;
(b) general files can be retained for a period of 6 years since receipt by us;
(c) emails can be retained for a period of 5 years since receipt by us.
8.4. In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention by taking into consideration the period necessary for retention for its lawful purpose.
8.5. Notwithstanding the other provisions of this paragraph 8, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
9. Access to your information and your rights
9.1. In this paragraph, we have provided a summary of the rights that you have under current data protection law. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
9.2. Your principal rights under data protection law are:
(a) the right to be informed;
(b) the right to access;
(c) the right to rectification;
(d) the right to erasure;
(e) the right to restrict processing;
(f) the right to object to processing;
(g) the right to data portability;
(h) the right to complain to a supervisory authority; and
(i) the right to withdraw consent.
9.3. You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first electronic copy will be provided free of charge, but additional copies in specific formats may be subject to a reasonable fee.
9.4. You have the right to rectify any inaccurate personal data we hold about you and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
9.5. In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
9.6. In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
9.7. You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
9.8. You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
9.9. You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
9.10. To the extent that the legal basis for our processing of your personal data is:
9.10.1 consent; or
9.10.2 that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
9.11. To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
9.12. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
9.13. All such requests (with the exception of SAR’s) should be sent to our DPO to the email address set out in paragraph 11 below.
10. Our details
10.1. This website is owned and operated by the British Tourist Authority.
10.2. Our principal place of business is in London, England.
10.3. You can contact us:
(a) by post, to 3 Grosvenor Gardens, London, SW1W 0BD;
(b) using our website contact forms at https://www.visitengland.com/contact-us
11. Data protection officer
11.1. Our data protection officer's contact email address is DPO@visitbritain.org
11.2. You can request a copy of the personal data that we hold on file by sending a subject access request to SAR@visitbritain.org
More information
Read more on our Cookie Policy and the Freedom of Information and terms of use