Loading...
etisalat
navbarMenu

Privacy Policy

This Privacy Policy explains how The Global Travel Organisation, uses, and discloses personal information about you when you visit our website or use our services. We are committed to protecting your privacy and complying with applicable data protection laws,

INFORMATION WE COLLECT

We collect personal information to make your experience as smooth and rewarding as possible. The information we may collect includes, but is not limited to, your name, email address, and mobile number.

USE OF PERSONAL INFORMATION

We use your personal information for the purposes you provided it, such as fulfilling bookings, answering inquiries, and improving our services.

Additionally, we may use your data to:

  • Notify you of important updates or changes to our services or terms
  • Provide you with marketing communications, where you have consented to receive such information.

If we intend to use your personal information for purposes other than those for which it was originally collected, we will seek your explicit consent before proceeding.

You have the right to withdraw your consent at any time, and you can do this by contacting us via GTO Mobile APP.

DISCLOSURE OF PERSONAL INFORMATION

  • We use your personal information to be able to book on your behalf.

We will only disclose personal information when it is necessary for the performance of the service.

NO SALE OF PERSONAL INFORMATION

We do not sell, rent, or share your personal information for monetary gain.

SECURITY OF PERSONAL INFORMATION

We take the protection of your personal data seriously and implement appropriate technical and organisational measures to safeguard your information from unauthorised access, loss, or disclosure. Our website uses (such as SSL) to ensure secure transmission of sensitive data.

DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes outlined in this Privacy Policy. If we no longer require your information, we will securely delete it.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time, and any changes will be posted on this page. Please check this Privacy Policy regularly to stay informed about how we are protecting your personal information.


Data Privacy Policy Standards & Guidelines

1. Introduction

  • Global Travel Organisation is committed to protecting and respecting your privacy.
  • This Data Privacy Policy outlines how we collect, use, store, and protect personal
  • data.
  • This policy applies to all personal data we collect, process, and store, and provides
  • guidelines for handling and securing this information. It is designed to ensure that
  • we handle personal data fairly, lawfully, and transparently.

2. Data Protection Principles

  • We are committed to ensuring that personal data is:
  • Processed lawfully, fairly, and transparently.
  • Collected for specified, legitimate purposes and not processed in ways that
  • are incompatible with those purposes.
  • Processed in a manner that ensures appropriate security of personal data.

3. What Personal Data We Collect

  • We may collect and process the following types of personal data:
  • Contact details: Name, Email address and Mobile number.
  • Marketing data: Preferences and feedback from interactions with our website, newsletters, or other communications.

4. Purpose of Data Processing

We process personal data for the following purposes:

• To Fulfil bookings on our customers’ behalf.

• To communicate with customers about bookings, updates, and promotions.

5. Legal Basis for Processing

we are required to ensure that we have a legal basis for processing personal data.

The legal bases we rely on include:

• Consent: Obtained for specific purposes (e.g., marketing communications).

• Contractual necessity: To fulfil our contractual obligations (e.g., processing

bookings).

6. Data Sharing and Disclosure

We may share personal data with service providers in the following circumstances:

• Service Providers: entities that we book with, such hotels, airlines, Etc (only

the required information is shared, such as the Name, Last name and in

some cases the nationality, no further information is shared)

7. Data Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, reservations including internal accounting, or internal reporting requirements. Personal data will be securely deleted once it is no longer needed.

8. Security of Personal Data

We employ a range of security measures to protect your personal data, including:

• Access controls and authentication procedures.

• Staff training on data privacy and security.

9. Data Protection Programme and Training

We have implemented a Data Protection Programme to ensure ongoing

compliance with the laws. This includes:

• Data mapping: Identifying what personal data we collect and how it is used.

• Privacy by design: Embedding data protection principles into our

operational processes and systems.

• Staff training: Providing regular training on data privacy and security best

practices for all employees.

12. Compliance and Monitoring

We conduct periodical audits and reviews of our data protection practices to ensure compliance with the laws.


Type of Information Collected & How We Process It

1. Purpose
This document outlines the types of information we collect from you and how we process it.

2. Types of Information We Collect:
We may collect the following information:

  1. First Name
  2. Last Name
  3. Email Address
  4. Mobile Number

3. Purpose of Collecting This Data:
We collect and process this information for the following purposes:

  1. To create and manage your membership.
  2. To activate and personalise your mobile app.
  3. To facilitate bookings on your behalf.
  4. To share promotions, updates, and new benefits added to your membership.

4. How we process the data:

Processing Activity

Description of Data

Purpose of Processing

Retention Period

Customer Registration

Name, email address, Mobile number

To create and manage customer accounts, provide services, and communicate with customers

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted

Reservations Processing

Name, Email address, Nationality, reservations details and history

To process the reservations

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted

Customer Support

Name, email address, Mobile number, support query details

To respond to customer inquiries and help

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending queries or bookings related to this query, all information is deleted

Marketing Communications

Name, email address, mobile number

To send promotional communication, newsletters, product updates, promotions and offers

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted


5. Secure Destruction of Data:

a. Once the membership expires and there are no further bookings pending, all personal and relevant data will be securely deleted from our system in accordance with our data retention and security policies.


Privacy Incident and Data Breach Response Program

1. Definitions

  • Privacy Incident: Any occurrence or event that may potentially affect the privacy of personal data, including unauthorised access, loss, destruction, alteration, or disclosure of data.
  • Data Breach: A data breach is a specific type of privacy incident that involves the unauthorised access to, disclosure, loss, or destruction of personal data. Data breaches typically involve a risk to the rights and freedoms of data subjects.

2. Incident Detection and Reporting

2.1. Detection of Privacy Incidents
Privacy incidents may be detected through various methods, including:

  • Regular monitoring and audits of systems, networks, and data.
  • Reports from employees.
  • Alerts from security systems or breach detection software.
  • Monitoring of suspicious activity or access attempts.

2.2. Incident Reporting Process
Any employee who detects or suspects a privacy incident or data breach must immediately report it to the designated Incident Response Team. Reports should be submitted via:

  • Email
  • Phone

3. Problem Detection

  • Response Plan Activation
    Once we detect any suspicious movement, it gets reported to the designated team, who conducts an initial assessment of the incident immediately after detection, and the response team will develop an action plan to contain and investigate the breach.

4. Incident Investigation and Containment

4.1. Initial Assessment
Upon notification of an incident, we will assess the nature and scope of the breach, including:

  • What data was involved?
  • How did the breach occur?
  • Who may be affected?

This assessment will determine whether the incident is classified as a data breach and requires further investigation.

4.2. Containment and remediation Measures
To prevent further damage or spread of the breach, the team will immediately implement containment measures, including:

  • Isolating affected systems or networks.
  • Changing passwords or access credentials for compromised accounts.
  • Disconnecting devices or servers from the network.
  • Applying additional security measures, such as firewalls, if necessary.

4.3. Mitigation
We will implement measures to mitigate the effects of the breach, including restoring data from secure backups (if applicable) and securing any exposed personal data.


5. Risk Assessment

5.1. Assessing the Impact of the Breach
Following containment, we will conduct a comprehensive risk assessment to determine:

  • The nature of the personal data involved (e.g., sensitive data such as financial information, health data, or personal identifiers).
  • The potential harm or risks to affected individuals.
  • Whether the breach is likely to result in a risk to the rights and freedoms of the affected individuals.

5.2. Severity Rating
Each incident will be assigned a severity rating (low, medium, or high) based on the assessment of the potential risks involved. This rating will guide the urgency and scale of the response actions, including notifications to regulators and individuals.


6. Notification

6.1. Notification to Data Subjects
If a data breach results in high risk to individuals, we will notify affected data subjects as soon as possible, The notification will include:

  • A description of the breach, including its nature and scope.
  • The likely consequences of the breach for individuals.
  • Measures taken to address the breach, including any mitigation steps.

7. Post-Incident Review

7.1. Incident Documentation
All details of the privacy incident, including the investigation, response actions, communications, and final resolution, will be documented thoroughly by our team.

7.2. Root Cause Analysis
Following the resolution of the incident, a root cause analysis will be conducted to determine how the breach occurred and whether any preventive measures or improvements to systems, processes, or security controls are needed.

7.3. Corrective Actions
Based on the findings from the post-incident review, corrective actions will be implemented to prevent future incidents, which may include:

  • Updating security protocols or software.
  • Conducting additional employee training on data protection.

8.2. Policy and Process Updates
This Privacy Incident and Data Breach Response Program will be reviewed and updated periodically to ensure it remains in compliance with evolving standards and industry best practices.


Recording and destruction of data process

1. Information needed for processing bookings for customers:

  • Personal Information: First & Last Name
  • Contact Information: Email & Mobile Number
  • Purpose of Processing: Customer relationship management, Processing bookings and reservations, marketing communications, and customer support.

2. Description of the Processing Activities

Processing Activity

Description of Data

Purpose of Processing

Retention Period

Customer Registration

Name, email address, Mobile number

To create and manage customer accounts, provide services, and communicate with customers

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted

Reservations Processing

Name, Email address, Nationality, reservations details and history

To process the reservations

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted

Customer Support

Name, email address, Mobile number, support query details

To respond to customer inquiries and help

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending queries or bookings related to this query, all information is deleted

Marketing Communications

Name, email address, mobile number

To send promotional communication, newsletters, product updates, promotions and offers

Retained for the duration where the Membership is valid, then deleted once membership expires&/or all reservations are used and no further pending reservations, all information is deleted


4. Data Subject Rights

Customers can exercise the following rights related to their personal data:

  • Right of Access: Customers can request a copy of the personal data we hold about them.
  • Right to Rectification: Customers can request corrections to any inaccurate or incomplete data.

Noting that we don’t keep any information, we only ask for the information when processing the bookings and every time the customer books we ask for the data to be added to the booking.


5. Security Measures

We implement technical and organisational measures to ensure the security of personal data:

  • Access Control: Only authorised personnel can access personal data.

8. Data Retention and Deletion

Personal data will be deleted after the applicable retention periods.

We are committed to regularly reviewing our data retention policies to ensure that personal data is not kept longer than necessary and is securely deleted once it is no longer required.


9. Updates to the Record of Processing Activities

This Record of Processing data will be reviewed periodically and updated as necessary to reflect any changes in data processing activities, legal requirements, or organisational practices.


Data Processing by Design and by Default Policy

1. Purpose

The purpose of this Data Processing by Design and by Default Policy is to establish the principles and practices of GTO in ensuring that data processing activities are aligned with the privacy principles of data protection by design and data protection by default. This policy is designed to ensure that personal data is processed with the highest level of privacy and security throughout its lifecycle, from collection to deletion.

2. Data Protection by Design

2.1. Integration of Privacy into System Design
We integrate data protection and privacy measures into the design and development of all new products, services, and business processes. This means that privacy and data security are considered at the earliest stages of any project, initiative, or change to business operations. Our approach includes:

  • Data Minimisation: We will only collect personal data that is necessary for the specific purpose for which it is being processed. We avoid excessive or irrelevant data collection.
  • Purpose Limitation: Personal data is collected for specified, legitimate purposes and is not further processed in a manner incompatible with those purposes.
  • Secure System Design: Security controls, such access control, and auditing mechanisms, are integrated into systems from the design phase to prevent unauthorised access, loss, or alteration of personal data.
  • Data Subject Rights: We ensure that systems are designed in a way that supports the effective exercise of data subject rights, such as rights to access and correction.

2.2. Anonymisation and Pseudonymisation
We employ techniques such as anonymisation or pseudonymisation where possible to reduce the risk to individuals’ privacy. In cases where full anonymisation is not possible, pseudonymisation ensures that personal data is not easily traceable back to an individual without additional information that is kept separate.


3. Data Protection by Default

3.1. Ensuring Data Protection as the Default Setting
We implement data protection measures that ensure privacy is maintained by default, even in the absence of user intervention. This includes:

  • Default Privacy Settings: When designing our services, we set the highest level of privacy as the default setting. Personal data will not be collected or shared unless explicitly necessary for the service being provided.
  • Access Control by Default: Personal data is only accessible to those employees or service providers (such as the hotels, airlines, etc to be able to fulfil the reservation on the customers’ behalf) who require it to perform their duties.
  • Data Retention: We implement default retention periods for personal data based on its purpose. Data will only be retained for as long as it is necessary for the purpose for which it was collected, and then securely deleted or anonymised by default.

4. Technical and Organisational Measures

To support data processing by design and by default, GTO has implemented the following technical and organisational measures:

  • Access Control Mechanisms: We implement role-based access control to ensure that personal data is only accessible to those who need it for their job responsibilities.
  • Regular Audits: We regularly audit our data processing activities, systems, and policies to ensure compliance with this policy and data protection standards. These audits help identify potential risks and enable us to address any gaps in privacy and security.
  • Incident Response Plan: We maintain a robust incident response plan to respond to potential data breaches, with measures to contain and reduce the impact of breaches, notify affected individuals,
  • Employee Training: All employees are regularly trained on data protection principles, including privacy by design and by default, to ensure that they understand their obligations regarding data privacy and security.

5. Data Subject Rights

5.1. Transparency and Consent
As part of our commitment to privacy by default, we ensure that individuals are informed about how their data will be used and give their explicit consent before any data processing activities take place.

5.2. Rights to Access, Rectification, and Erasure
Our systems are designed to facilitate the rights of data subjects under data protection laws, including:

  • Access: Individuals can request access to the personal data we hold about them.
  • Rectification: Individuals can request corrections to inaccurate or incomplete data.

6. Policy Review and Updates

This policy will be reviewed periodically or as needed, to ensure it remains in compliance with applicable data protection standards. Any significant changes will be communicated to employees.

logo

Top Menu

walletIcon

My Wallet

loginIcon

Login

joinNowIcon

Join Now

footerlogo

GTO Members is a brand of InHouse World Ltd.

Registered in England,Company No. 9511392

Headquarters (UK): 120 Regent Street opposite Burberry, London, W1B 5FE

Phone: +442078460889

Email: info@gtomembers.com

visaAndMastercard

Copyright 2024 - InHouse World