Last updated: 16th July 2019
Burns Tours Dumfries
43 Barnton Road,
GDPR Compliance Policy
Burns Tours Dumfries handles personal data on an ad-hoc basis and is aware of its responsibilities in respect of complying with GDPR regulations and is fully committed to maintaining information security to protect customers, suppliers and individuals.
We understand the importance of this and have a robust system in place to ensure compliance.
We have informed and educated our employees in respect of how it impacts our business, what process we have to follow and why it is important we do so.
As a data processor we are responsible for the safe handling, transfer and destruction of personal files and have the following in place to ensure this is carried out securely:
- We have conducted an information audit to map information and data flow throughout the business.
- We document all personal data held, its origin, who it is shared with and what purpose we hold it for.
- We have an appropriate data protection policy which is management led and promoted positively throughout the business.
- We have implemented appropriate technical and organisational measures to integrate data protection into our processes.
- We have effective controls will which identify, manage and resolve personal data breaches.
- We have provided effective data protection awareness training to all staff.
- We have a robust but flexible process which can respond to the needs of the data controller in respect of supply, retention, back-up and suppression of specific personal data.
- Our systems are protected to the highest level from viruses and Malware using the latest anti-virus software.
- We are committed to continuously improve our data protection management system.
- We have customer and supplier contracts which legally comply with GDPR.
For the purposes of clarification we have expanded on the following:
Burns Tours Dumfries is the data processor and our customer is the data controller or processor. We undertake to carry out personal data services based on our customer having either explicit consent to use this information or having agreed legitimate interest. Therefore the onus is on our customer to have this consent and the controls in place to process the information legitimately and we will not assume liability if this transpires not to be the case.
Data subject rights:
Individuals have the right (subject to conditions) to the following under GDPR –
To object to the processing of their personal data
For data portability
To request that their data is updated and corrected
For the erasure of their personal data
To restrict the processing of their personal data
To withdraw their consent to the processing of that data
To lodge a complaint with the data protection authority
We will observe all of the above and facilitate those rights in a timely,
efficient and professional manner within GDPR guidelines.