Who we are
Welcome to Yorkshire is a Limited by Guarantee company whose aims are to help promote tourism and development of Yorkshire.
Our registered office is at Welcome to Yorkshire, Dry Sand Foundry, Foundry Square, Holbeck, Leeds, LS11 5DL, UK.
Company Limited by Guarantee no: 2896762.
For the purposes of Privacy Legislation, we are the Data Controller, registered at the Information Commissioners Office as a registration number: ZA321397
Privacy Law means the Data Protection Act 1998 (as amended by the Data Protection Act 2018), the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the General Data Protection Regulation (from 25 May 2018) and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes of practice issued by the UK Information Commissioner or such other relevant data protection authority.
Changes to Our Privacy Notice
We review this notice regularly as part of our internal processes or as our services, activities, or processes change. It is subject to change at any time, but the most up to date version is published on our website: letour.yorkshire.com
This notice is dated 23 May 2018.
By post to Data Protection Officer, Welcome to Yorkshire, Dry Sand Foundry, Foundry Square, Holbeck, Leeds, LS11 5DL, UK.
By email at [email protected]
Through our website letour.yorkshire.com
We take any complaints concerning your privacy very seriously. If you think our collection or use of your personal information is unfair, misleading or inappropriate please bring it to our attention and we will be happy to provide any additional information or explanations needed. We also welcome suggestions for improving our procedures.
You can also contact the Information Commissioner's Office at www.ico.org.uk or write to Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF or 0303 123 1113 for information, advice or to make a complaint.
Your Privacy Rights
You have rights relating to your personal information. You can find more information about your privacy rights on the Information Commissioner's Office website www.ico.org.uk
You have the right to be informed about how and why we process your personal information including why we need it and how we will use it.
You can find most of the information you need in this Privacy Notice.
If you have any questions, please contact us at letour.yorkshire.com
You have the right to access your personal information
You can request a copy of information we hold about you at any time.
You may choose to exercise your right of access through any of our contact channels, but we may ask you to provide documented evidence of your identity before we process your request. We may also contact you to clarify your request or to ensure we have all the information we need to fully meet your request.
Privacy law requires us to respond to your request within 30 calendar days of verifying your identity (or within 3 months for more complex cases). You'll receive a full response as soon as we can reasonably provide one and we aim to resolve all subject access requests within 30 calendar days from confirming your identity. In more complex cases where we cannot provide a full substantive response within that time frame, we will write to you within 30 calendar days to explain why an extension is needed.
We don't charge for subject access requests.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
You have the right to ask us to correct inaccurate personal information we hold about you
If you believe information we hold about you to be inaccurate or incomplete, you can ask us to correct it or complete it at any time, through any of our contact channels. Wherever possible, we will correct inaccurate or incomplete information immediately.
In more complex cases we will take reasonable steps to confirm the accuracy of the information we hold. Whilst we investigate the accuracy of the information, we will restrict the processing of the information in question.
We will let you know the outcome of our investigation as soon as we can. Any information we can verify as inaccurate will be corrected within one month of receiving your request.
You have the right to ask us to delete your personal information
In some circumstances you have the right to ask us to delete information we hold about you. For example, if we have asked for your consent to process the information, and you withdraw that consent.
We will respond to your request as soon as we can, and we will act on any requests granted within one month of your request.
We can't delete some information where we have a legal or regulatory obligation to keep it. We may also refuse your request if we believe it to be excessive. If your request for deletion is refused, we will explain the reasons for refusal.
You have the right to ask us to restrict the use of your personal information
In some instances, you have the right to ask us to restrict the use of your personal information (for example if you have challenged the accuracy of the information we hold or have objected to our processing). We will restrict our use of your information whilst we investigate your objection or request to correct your information.
We will respond to your request as soon as we can, and we will act on any requests within one month of your request.
If your objection is unsuccessful, we will only continue processing once we've let you know the outcome of the investigation.
When processing is restricted, we are still permitted to store your personal data, but not use it. Information related to these requests will not be automatically deleted unless you expressly ask us to.
You have the right to data portability
Where we process your personal information with your consent or for the performance of a contract, and our processing is automated, you have the right to move, transfer or copy that data to another system for your own purposes. If we do in future, you can make a request and this data can be exported from our systems for you.
You have the right to ask us not to process your personal information
We process most of the information we collect about you under the lawful basis of 'legitimate interest'. You have the right to object to our processing your personal information under this lawful basis, or for marketing purposes (including profiling).
We will respond to your objection as soon as we can, detailing any actions we can reasonably make. If we believe there is an overriding compelling reason to continue the processing, we will explain why we think this is.
We will action any requests to stop direct marketing as soon as we receive your objection.
You can object to us using your data at any time through any of our contact channels.
Lawful basis for processing
Privacy Law states we must have a lawful basis for processing your information; the legal basis will vary depending on the circumstances of how and why we have your information. Usually we will do this in the following instances:
- the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests;
- you have given consent for us to process the information i.e. in relation to certain marketing activities;
- the processing is necessary for a contract we have, or because we have been asked to take specific steps before entering into a contract;
- the processing is necessary for compliance with a legal obligation to which we are subject i.e. we are required to provide certain information to HMRC;
- the processing is necessary for us to comply with the law.
Information we collect from you and what we do with it
To provide our services to you, we need to collect, process and store information about you. We use your information to administer, support, improve and develop our business generally, to provide statistical information to meet our lawful requirements and to enforce our legal rights. If we intend to use your information for a different purpose, we will do so in ways consistent with Privacy Law or, wherever possible, by notifying you in advance.
We will only use your information for the specific purpose(s) for which it has been provided to or collected.
We collect and process a variety of information from you and about you. In most cases, the information we collect about you is provided by you directly. This helps us to confirm the information we collect is accurate and as up to date as possible. We will usually do this when you first contact us, though we may ask you to confirm your details on subsequent contacts from time to time.
The type of information collected from you and obtained about you will vary depending on your association with us. However, in almost all cases we are likely to ask you to provide name, address and contact details (including phone number, e-mail address or social media identifiers) - to contact you about your enquiry, or membership, and keep you up to date about the services you have requested or receive from us, inform you about any service interruptions, or contact you with other information related to our business; financial information (including method of payment and bank account details) - to subscription you for the services you receive from us and manage your payment arrangements;
We will only collect sensitive personal information about you with your explicit consent, and for a specified purpose which will be explained to you at the time.
If you contact us by phone we will keep a copy of the recording.
If you contact us by post or e-mail we will keep a record of the contact.
If you use our website, we will keep a record of the contact and we may collect additional information about you to provide a better digital service and website functionality.
More detailed information on what we collect in different circumstances and how it will be used is set out below to 'what to expect when you contact us’.
Information we collect or obtain from others about you
We prefer to collect information about you directly. This helps us to confirm the information we collect is accurate and as up to date as possible.
We may receive information collected by our business partners or sub-contractors relating to services they are delivering to you, or to respond to a complaint you have made.
We also work closely with trusted partners (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, local authorities, credit reference agencies and debt collection agencies) and may receive information about you from them.
If you contact us by phone or in writing (including e-mail, live chat, social media or via our website) we will record, monitor or keep copies of the correspondence. We keep this information for several reasons (including fraud prevention and crime recording/investigation) but the main reasons are to:
- assist our response to any queries you may have;
- ensure we continue to offer you the best possible service;
- maintain standards and help train our staff;
- demonstrate our compliance with any regulatory obligations; and
- keep our records up to date so that we don't offer you services that you don't need.
Contacting us by telephone
When you contact us by telephone, your telephone number may be added to your records so that we can contact you in future to provide further services or information.
We may use a telephone number listed on your account to contact you to discuss your membership account or text you with reminders to pay unpaid subscriptions.
Contacting us by post
All customer post, including enclosures, received by us is scanned electronically on to our systems. Where the post relates to an identifiable record or account, we will store the letter and attachments on that record.
Post is stored and processed in a secure area of the building. The retention of hard-copy documents and electronic images of post received is detailed in our data retention rules.
If you email us, we will respond to you using the email address you gave us. We may add your email address to your account and it may be used for future communications.
Please note that email isn't considered to be a secure communication method. If you have any concerns over the security of your information in transit, please raise this with us so that we can suggest alternative methods of contact.
Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with our own policies. Emails are stored, archived and deleted in line with our information security and data retention policies.
Contacting us via social media
We strongly advise not to post your personal contact or other sensitive information on a public social media site. If you contact us using social media to report an issue, we will ask you to private message us to gather suitable information. We may suggest an alternative contact method if we think this is more appropriate.
Making a complaint
If you make a complaint to us, we will follow our complaints process.
We may need to share details about your complaint internally to fully investigate. If you escalate your complaint to the Information Commissioners Office, we may share information with them in order to resolve your complaint.
If the complaint relates to a service provided by a third party, we will share information with them to resolve your complaint. If a complainant doesn't want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will only use the personal information we collect to process the complaint and to examine the level of service we provide. We may compile and publish statistics showing information (for example the number of complaints we receive), but not in a form which identifies any individuals.
We will keep complaints in line with our data retention policy. This means that information relating to a complaint will be retained for seven years from closure.
Visiting our website
Each time you visit our website or mobile application we will automatically collect the following information:
technical information - this includes the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
Location information - When using one of our location-enabled services on our website or mobile applications, we may collect and process information about your actual location. If you wish to use the feature, you'll be asked to consent to your data being used for this purpose. You can withdraw your consent at any time either by modifying the geo-location settings of your web browser or the location awareness permissions of your mobile device.
Session information - information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
We use information gathered through cookies and similar technologies to measure and analyse information on visits to our websites, to tailor the websites to make them better for visitors and to improve technical performance (see below for more information). We will not use the data to identify you personally or to make any decisions about you.
Our website may also contain links to and from other websites including our partner networks and affiliates. If you follow a link to any of these websites, please note that we do not have control over these websites or their content. These websites have their own privacy policies and we will not accept any responsibility or liability for you visiting these. We recommend that you review the website terms and conditions that are applicable to the third-party website.
Information about using our online members subscription platform
You'll need your name, email address, and password to register and each time you access your on-line members subscription account. Do not share your password with anyone else, even our staff.
We retain the right to delete or remove online accounts where we deem them to have been misused, duplicated, dormant, or invalid for a period of time. Where possible we will contact you by email when we discontinue any accounts. We may continue to send your subscriptions through the post.
Information about cookies we use
Information we share with others
In most circumstances we will not disclose your personal information without your consent. However, there are circumstances where we need to share some of your information to meet our compliance obligations or where we are permitted to under Privacy Law.
We may share your personal information with any member of the Welcome to Yorkshire team. We do this to ensure we offer you a consistent service across our products.
We share your personal information with our Welcome to Yorkshire employees; all access is controlled in accordance with our IT Security Policies.
We have legal obligations to share data with some third parties identified in law. We may disclose your personal information to third parties if we are under a duty to disclose or share your personal information to comply with any legal obligation. We do not require your consent to process your information in this way.
Sometimes we are contacted by HMRC, the Department for Work and Pensions DWP, the police, fraud agencies or Immigration UK Visas and Immigration asking for information about our individual members and customers. Under Privacy Law, we are permitted to share this data with them without your consent and you will not be notified that this has been done. This is in the support of the prevention and detection of crime.
Agreements we have with other organisations for sharing information
We use trusted partners and sub-contractors to process some of your personal information.
We have in place some data sharing agreement for mutual benefits. For example, we have data sharing agreements with some partners to help keep our customer data accurate. This may involve the sharing of names and addresses of customers.
Trusted Partners we use who may have access to your data
We use trusted partners to help us process your personal information and provide services to you. All of our data processors have a binding contract with us that restricts their access to and handling of your personal information to only what is necessary in performance of their contract.
- third-party IT and software providers for different systems, like our social media and email management, our open source content management system (CMS) platform for publishing content on our websites, and others to support us with processing the large amounts of data that we need to manage.
Occasionally these providers store or back-up information on servers outside the European Economic Area. We have sought assurances that those arrangements comply with Privacy Law requirements for the transfer of personal data outside the EEA.
- companies to help us process payments including card payments and to process cheques;
- From time to time we require legal advice and may need to share your personal data with our legal advisers or our insurance companies or other professional advisors to obtain advice or make a claim.
Where we store your information and how we keep it safe
All customer personal information is stored on our corporate systems on secure IT servers. We operate a suite of IT and security policies to ensure your information is kept secure, including appropriate access and auditing controls.
We use anti-virus software and fire walls to protect against cyber-attack. Unfortunately, the transmission of information via the internet isn't completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of information you send to us that is outside of our security arrangements; any transmission is at your own risk.
We also operate strict physical security at all our sites and employees all receive security and data protection awareness training.
We may store your personal information on your local device, such as your computer or mobile phone to assist you in your repeated use of our services. We have no control over inappropriate access to this information. You can delete this information at any time using the facilities of your Internet browser or by removing our application from your mobile device.
Where we transfer information to third parties to enable them to process it on our behalf (see the information about Trusted Partners above), we ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and keeping it secure.
How long we will keep your information
We only keep your information for as long as we need it. We will retain certain information (i.e. contact information and bank details) for as long as you have a relationship with us. Our data retention policy and rules outline these time frames in detail, but the length of time depends on the purpose of the processing.
Generally, we keep:
- customer members subscription, correspondence, complaints, financial details and contact histories - we will retain this data whilst you continue to engage with us for our services and thereafter for up to seven years;
- data subject requests (i.e. subject access requests and objections) for up to two years;
- webchats and social media posts (in third party systems) for up to twelve months, unless related to a complaint;
After which time your personal information will be either deleted or anonymised.
These retention periods may be extended in certain limited cases as prescribed or permitted by law - i.e. because of an accident at one of our events or to bring or defend a legal claim.