SECTION ONE: INTRODUCTION

Travco receive instructions from its clients. These instructions concern Travco making hotel bookings which are part of the holiday packages. The tourist for whom the holiday is arranged is the end user. As Travco is processing the end user’s requirements on behalf of the client and is accountable to the client, Travco is proceeding on the basis that Travco is the data processor and the client is the data controller. Travco will have no dealings with the end user.

With effect from 25 May 2018 the General Data Protection Regulations (GDPR) will replace the outgoing 1998 Data Protection Act. When the Data Protection Bill becomes law that legislation will, post Brexit, enshrine the GDPR in UK law. Reference to the GDPR is also a reference to the applicable provision of the Data Protection Bill. Reference to an Article is a reference to an Article in the GDPR.

The GDPR places additional obligations and liabilities on data processors. The applicable points are set out below.

1. Process personal data only according to the data controller's instructions under Article 29.
2. Maintain a record of data processing activities that complies with Article 30(2).
3. Implement appropriate technical and organizational measures in compliance with Article 32.
4. Have written data controller authorization before engaging subcontractors under Article 28(2) and pass obligations down to any data processors it engages via contract as specified in Article 28(4).
5. Notify the data controller of any security breach without undue delay in accordance with Article 33(2).
6. Only transfer personal data internationally in accordance with Article 44, which requires the data processor to have a compliant data transfer mechanism.
7. Make available to the data controller all information for the data controller to demonstrate compliance with its obligations under Article 28 (Processors), as set out in Article 28(3)(h).

Travco is aware of these obligations. The purpose of this document is to outline the necessary contractual clauses and to disclose the relevant information pertaining to Travco’s role as the data processor.

SECTION TWO: AUDIT

The GDPR requires data processors to confirm that they are GDPR compliant. To that end Travco is happy to disclose certain information.

Travco confirms that, unless requested, personal data disclosed to Travco will not be transferred outside the European Economic Area. If any such request is made then Travco will insist that the transfer is done in accordance with the GDPR. Travco will not “profile” people.

Travco will be fully transparent. Travco recognises that its clients in their capacity as data controllers have to compile its own audits and assessments. Travco will do what is reasonable to assist.

VARIABLE	RESPONSE
Technical & Organisational security measures.	A full audit of all email and data retention policies has taken place along with a review of all personal information contained within all shared network drives. All personal data is held within secure folders within the network accessible only by authorised users for business purposes. All firewalls and organizational security, including storage and destruction of printed documents have been reviewed and where found lacking improved upon. Full continuous technical auditing is in place throughout our entire technical network.
Procedure for you to search; export or delete for our personal data on your systems?	Forms for internal and external use are available on Travco’s website at www.travco.co.uk including but not limited to subject access requests and data deletion requests along with a breach notification form. All will be reviewed and handled in a timely manner by the Data Protection committee within the company structure.
Will you transfer data outside the European Economic Area?	Yes provided we have been instructed to do so, or have a valid business reason requiring us to do so in order to fulfil our role in any required transaction. Further information later in this document can be found on the scope of this data processing.
Details of Data Processing Records maintained by Travco.	Information of a personal nature is deleted at the point it no longer required for a business purposes or in any event at the expiry of seven years. All correspondence via electronic means is retained for a period not longer than seven years.
Details of Travco’s Breach Notification Process?	A Data Breach Notification form is accessible internally or externally via the Travco website www.travco.co.uk. The Data Protection Committee within Travco will handle all substantiated breaches and ensure that any agency required is notified of said breach.
Procedure governing the use of sub-processors.	All sub-processors Travco engages are service providers, of which consent has been provided for the transfer of data, as outlined later in this document. This is required for Travco to carry out the business it provides. We require all sub processors to be GDPR compliant.