Data Controller contact
The Royal Yacht
How we use your information
This privacy notice tells you what to expect when The Royal Yacht Hotel (RYH) collects personal information. It applies to information we collect about:
- people who use, or have used our services,
- visitors to our websites and onsite;
- complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry;
- people who notify under the Data Protection (Jersey) 2018 Law
- Job applicants and our current and former employees.
The Royal Yacht Hotel
- RYH is a hotel, which holds and process’ the personal data for the functionality of business within the tourism industry. The Spa and restaurants fall under the RYH for data protection purposes.
Legal grounds for processing personal data
- RYH needs to ensure activities involving the processing of personal information are undertaken under one of the six legal grounds for processing.
- Article 6(1) of the GDPR sets out the conditions that must be met for the processing of personal data to be lawful. They are:
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- In the event that the above 2 conditions are not met RYH will ensure one of the following conditions are met:
- the data subject has given consent to the processing of their personal data for one or more specific purposes;
- processing is necessary in order to protect the vital interests of the data subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
People who use RYH services
- We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes.
Service providers reporting a breach and retention
- Public electronic communications service providers are required by law to report any security breaches involving personal data to RYH.
- We retain personal information only for as long as necessary to carry out these functions, and in line with our retention schedule.
- RYH and ASL have measures in place to ensure the security of data collected and transferred to RYH via this form. ASL is a data processor for RYH and only processes personal information in line with our instructions.
Visitors to our websites
- When someone visits https://www.theroyalyacht.com/ we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site.
- This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
- Third parties power the search engine and decision notice search. No Personally Identifiable Information is stored or used by these third parties.
- We use a third party provider, Revinate, to deliver our monthly e-newsletters. We gather non identifiable statistics around email opening and clicks using industry standard technologies, to help us monitor and improve our e-newsletter. For more information, please see Revinate privacy notice here
Security and performance of the website.
- RYH may use a third party service to help maintain the security and performance of RYH website. To deliver this service it may process the IP addresses of visitors to RYH website. Details of this service can be obtained by contacting [email protected]
People who contact us via social media
- We use multiple platforms, including Facebook, Instagram, Twitter & LinkedIn
- If you send us a private or direct message via social media the message will be stored for three months.
- The message, and the information contained within, will not be shared with any other organisations unless requested to do so.
People who email us
- We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government.
- If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
- We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
People who make a complaint to us
- When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
- We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
- We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
- We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
- Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
Transfers outside Jersey
The Royal Yacht Hotel will make best endeavours to not send personal data outside of Jersey / EU / Countries with adequacy status. Any information that is to be sent to any 3rd countries will be done as per the Policy and Procedure, which is available at request.
Data Subject Rights
As the data subject, you have the following rights
- Right to access your data
- Right to rectify your data
- Right to erase your data unless obliged by another law
- Right of portability of your data
- Right to Withdraw consent at any time
- Right to make a complaint to the supervisory Body
- Right to knowledge of automated processing of data, and the logic and potential consequences.
- Right to the origin of personal data if not provided by yourself.
How to make a complaint to the supervisory Body.
If you wish to make a complaint to the supervisory body, the Office of Information Commissioner (OIC) – then you can ask for the form, or fill out the online form on the OIC website here.
RYH and its employees
Job applicants, current and former RYH employees
- RYH is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at [email protected]
- What will we do with the information you provide to us?
- All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
- We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
- We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
What information do we ask for, and why?
- We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
- The information we ask for is used to assess your suitability for employment.
- We use several recruitment agencies, and they will collect your data as a data processor on our behalf.
- We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.
- Our hiring managers shortlist applications for interview.
- We might ask you to participate in assessment days; complete tests – and/or to attend an interview – or a combination of these.
- Information will be generated by you and by us. For example we might take interview notes. This information is held by RYH.
- If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of three months. If you give consent, we would proactively contact you should any further suitable vacancies arise.
- If we make an offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
- You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
- Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
- You will be asked to complete a criminal records declaration to declare any unspent convictions.
- We may require a background check to be made. We may ask you to perform this yourself by going to the Jersey Police to undertake a Basic Criminal Record check via the Disclosure and Barring Service, or Access NI, which will verify your declaration of unspent convictions.
- We will contact your referees, using the details you provide in your application, directly to obtain references
- We will also ask you to complete a form about your health and to give consent for us to speak to your doctor if necessary. This is to establish your fitness to work. – You do this – there is a form
- On acceptance of an employment offer & commencement of work, we will also ask you for the following:
- Bank details – to process salary payments
- Emergency contact details – so we know who to contact in case you have an emergency at work
Post start date
- Our Code of Conduct requires all staff to ensure they maintain the highest standard at the Royal Yacht.
- If any warnings, Verbal or formal, are issued and will be retained on file as per the warning Procedure. Once the timeframe is up, these will be retained for a further 3 months before being destroyed, unless we are required to maintain them for another purpose.
Use of data processors
- Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
How long is the information retained for?
- If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 10 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references. – the General concensus is 10 years
- If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
- Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.
- Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.
How we make decisions about recruitment?
- Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.
- You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing [email protected]
- Under the Data Protection (Jersey) 2018 Law, you have rights as an individual which you can exercise in relation to the information we hold about you.
- You can read more about these rights on page 4 of this document
Complaints or queries
- RYH tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
- This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of RYH’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
- If you want to make a complaint about the way we have processed your personal information, you can contact us or you can contact the Information Commissioners office if you wish using this form – or visiting their website here
Access to personal information
- RYH tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection (Jersey) 2018 Law
- If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
- To make a request to RYH for any personal information we may hold you need to put the request in writing addressing it to our Information Governance department, or writing to the address provided below.
- If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
- If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Information Governance department.
Disclosure of personal information
- In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. Further information is available in our Information Charter about the factors we shall consider when deciding whether information should be disclosed.
- You can also get further information on:
- agreements we have with other organisations for sharing information;
- circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
- our instructions to staff on how to collect, use and delete personal data; and
- how we check that the information we hold is accurate and up to date.
- Links to other websites
- This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Covid19 Contact Tracing Programme guidance
When you make a restaurant or accommodation reservation or attend our premises for a drink/meal; we will record your name and telephone number or email address as part of that process. As a responsible business and to assist the Government with their fight against COVID-19 we take part in their ‘Contact Tracing’ programme.
We will share your information with the Government as part of this program if our premises forms part of a COVID-19 positive case. This will give the Government an opportunity to contact you with information and offer testing if you possibly came into contact a person who tested positive.
The legal basis for us to process your information in this way is ‘Legitimate Interest’. We will share your data with the Government Contact Tracing team only when required to do so.
Your information will be retained for 21 days, post attendance, after which it will be securely disposed of.
RYH CCTV Policy
– CCTV system overview
– Purposes of the CCTV system
– Monitoring and recording
– Compliance with Data Protection legislation
– Retention of images
– Monitoring compliance
– Policy Review
The Royal Yacht Hotel has in place a CCTV surveillance system.
This document details the purpose, use and management of the CCTV system and details the procedures to be followed in order to ensure that the Hotel complies with relevant legislation and the current Information Commissioner’s Office Code of Practice.
The Hotel will have due regard to the Data Protection (Jersey) Law 2018 and any subsequent data protection legislation, and to the Freedom of Information Act 2000, the Protection of Freedoms Act 2012 and the Human Rights Act 1998.
This document and the procedures therein detailed, applies to the Hotel’s CCTV system including body worn cameras, for the purpose of viewing and or recording the activities of individuals. CCTV images are monitored and recorded in strict accordance with this policy.
- CCTV System overview
The CCTV system is owned and managed by the Royal Yacht Hotel and its appointed agents.
Under the Data Protection (Jersey) Law 2018 the Royal Yacht Hotel is the ‘data controller’ for the images produced by the CCTV system. The Hotel is registered with the Information Commissioner’s Office.
The CCTV system operates to meet the requirements of the Data Protection Act and the Information Commissioner’s Guidance.
The Deputy General Manager is responsible for the overall management and operation of the CCTV system, including activities relating to installations, recording, reviewing, monitoring and ensuring compliance with this policy.
The CCTV system operates across the property. Signs are placed at pedestrian and vehicular entrances in order to inform both members of the public and staff that CCTV is in operation. (Signage is currently being updated to comply with local legislation)
Cameras are sited to ensure that they cover the Hotel premises as far as is possible.
The CCTV system is operational and is capable of being monitored for 24 hours a day, 365/6 days of the year.
- Purposes of the CCTV system
The principal purposes of the Hotel’s CCTV system are as follows:
– for the prevention, reduction, detection and investigation of crime and other incidents;
– to ensure the safety of hotel residents, clients and staff;
– to assist in the investigation of suspected breaches of Hotel regulations by staff.
The Hotel endeavours to operate its CCTV system in a manner that is consistent with respect for an individual’s privacy.
- Monitoring and Recording
Cameras are monitored in a secure manner. They are not manned 24 hours per day.
Images are recorded centrally on servers located securely on site at the hotel and are viewable in Security Service areas by specifically trained staff. Additional staff may be authorised by the Deputy GM to monitor cameras sited within their own areas of responsibility on a view only basis (eg- the Pool for safety reasons).
The cameras installed provide images that are of suitable quality for the specified purposes for which they are installed and all cameras are checked daily to ensure that the images remain fit for purpose and that the date and time stamp recorded on the images is accurate.
All images recorded by the CCTV System remain the property of the Hotel.
The monitoring of staff activities will be carried out in accordance with Employment Practice
The use of covert cameras will be restricted to rare occasions, when a series of criminal acts have taken place within a particular area that is not otherwise fitted with CCTV. A request for the use of covert cameras will clearly state the purpose and reasons for use and the authority of the General Manager will be sought before the installation of any covert cameras. The General Manager should be satisfied that all other physical methods of prevention have been exhausted prior to the use of covert recording.
Covert recording will only take place if informing the individual(s) concerned would seriously prejudice the reason for making the recording and where there is reasonable grounds to suspect that illegal or unauthorised activity is taking place.
All such monitoring will be fully documented and will only take place for a limited and reasonable period.
Body worn cameras may be used by Security Staff in the operation of their duties. The downloading of images from such cameras will only be conducted by trained security staff.
Security staff wearing body worn cameras will disclose, when approaching persons, that they are being video and audio recorded
- Compliance with Data Protection Legislation
In its administration of its CCTV system, the Hotel complies with the Data Protection (Jersey) Law 2018.
Due regard is given to the data protection principles embodied in the Data Protection Act. These principles require that personal data shall be:
- a) processed lawfully, fairly and in a transparent manner;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date;
- e) kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Retention of images
Unless required for evidential purposes, the investigation of an offence or as required by law, CCTV/BodyCam images will be retained for no longer than 30 days from the date of recording. Images will be automatically overwritten after this point. (The timing may sometimes slightly vary on this dependent on level of activity as camera’s are motion sensitive and overwrite on a cycle.)
Where an image is required to be held in excess of the retention period referred to above, the Deputy General Manager or their nominated deputy, will be responsible for authorising such a request.
Images held in excess of their retention period will be reviewed on a three monthly basis and any not required for evidential purposes will be deleted.
Access to retained CCTV images is restricted to the Deputy General Manager and other persons (Head of Security) as required and as authorised by the General Manager.
- Monitoring Compliance
All staff involved in the operation of the Hotel’s CCTV System will be made aware of this policy and will only be authorised to use the CCTV System in a way that is consistent with the purposes and procedures contained therein.
All staff with responsibility for accessing, recording, disclosing or otherwise processing CCTV images will be required to undertake data protection training.
- Policy review
The Hotel’s usage of CCTV and the content of this policy shall be reviewed annually by the Deputy General Manager with reference to the relevant legislation or guidance in effect at the time. Further reviews will take place as required.
Changes to this privacy notice
- We keep our privacy notice under regular review.
- This privacy notice was last updated on August 2020
How to contact us
The Royal Yacht Hotel