We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us. We seek at all times to comply with the General Data Protection Regulation (GDPR).
Who we are
Ffestiniog Railway Holdings limited, trading as Ffestiniog Travel, collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the GDPR which applies across the European Union (including in the UK) and we are responsible as ‘controller’ of that personal information for the purposes of the GDPR. The GDPR will be supplemented in due course by additional UK specific data protection legislation.
What personal information do we collect?
We collect personal information about you when you:
- visit our website, join a mailing or marketing list, contact us on social media or by email, complete a survey or enter a competition organised by us
- visit our office
- contract directly with us
- contract with us as a third party
You are responsible for ensuring that other members of your party are aware of the content of this notice and consent to your acting on their behalf in all your dealings with us.
How do we collect information?
You may give us the information orally, by web form, email, telephone or by letter. You may also give information to booking agents acting on our behalf or booking agents (including family members and others) who seek to purchase a service from us.
How long do we keep your personal data?
All personal data are kept no longer than is necessary. In the case of any contract concluded with us then financial data are kept for a period of seven years from the date when the contract is completed. All other data (ie copy passport, date of birth certificate, medical information) are destroyed one month following the completion of the travel contract.
In circumstances when a customer completes a document signifying consent to receive a particular service then the document is kept indefinitely unless the customer in writing withdraws the consent.
What is the lawful basis for you processing my information?
We must have a lawful basis for processing your information; this will vary on the circumstances of how and why we have your information, but typical examples include:
- the activities are within our legitimate interests as a travel company seeking to engage with and provide services to prospective and current customers, and third parties
- you have given consent for us to process your information e.g. in relation to marketing activities
- we are carrying out necessary steps in relation to a contract to which you are a party or prior to you entering into a contract, e.g. because you wish to book tickets or arrange for us to carry out a service for you
- the processing is necessary for compliance with a legal operation to which we are subject, e.g. for us to be able to comply with legal obligations imposed by statute and statutory regulation
- to protect your vital interests, e.g. if you were unfortunate enough to fall ill or suffer injury on one of our holidays.
If we process any special categories of information i.e. information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, processing of genetic biometric data for the purpose of uniquely identifying individuals, health data, or data concerning your sex life or sexual orientation, or information revealing criminal convictions or offences we must have a further lawful basis for processing. This may include:
- where you have given us your explicit consent to do so, e.g. to obtain your medical details to satisfy requirements imposed by Regulation
- where the processing is necessary to protect your vital interests or someone else’s vital interests
- you have made the information public
- the processing being necessary for the establishment, exercise or defence of legal claims
- the processing being necessary for reasons of substantial public interest
- the processing being necessary as a consequence of the arranging of relevant and necessary insurance policies
- preventing or detecting unlawful acts or dishonesty, or for safeguarding reasons.
How do we use your information?
We use the information:
- to provide information that you may require regarding the services that we offer
- to fulfil our contract with you
- to comply with our statutory and regulatory obligations
- to send you marketing communications.
Disclosure of your information
Some of the information you provide to us may be transferred to, stored and processed by third party organisations who process data on our behalf. These third parties may be based (or store or process information) in the United Kingdom, or elsewhere including outside of the European Economic Area (EEA). These third parties may include third party IT platforms (including cloud-based platforms), suppliers of administrative and support services and suppliers of other specialist products.
We may be obliged to disclose data by order of a court, by statute, or we may be permitted to disclose it under applicable data protection laws in other circumstances.
How do we protect your information?
All our computers are protected by firewalls and reputable anti-virus software to which all patches and updates are applied as soon as possible. External servers are similarly protected and provided by organisations we trust. Our computers and programmes are protected by passwords. Information in hard form is kept in locked drawers or filing cabinets.
When we transfer information to third parties to enable them to process it on our behalf, we ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and keeping it secure.
We may transfer your personal information to countries which are located outside the European Economic Area (EEA) or UK as follows:
- when using outsourced IT or other administrative support services
- where you are located outside of the EEA
- To enable us to fulfil our contractual obligations
Such countries do not always have the same data protection laws as the United Kingdom and EEA but we will ensure that where information is transferred to a country or international organisation outside of the of the UK/EEA, we will comply with the relevant legal rules governing such transfers that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.
What are cookies?
We may collect information using “cookies.” Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on our Site.
We use two broad categories of cookies: (1) first party cookies, served directly by us to your computer or mobile device, which we use to recognise your computer or mobile device when it revisits our Site; and (2) third party cookies, which are served by service providers on our Site, and can be used by such service providers to recognise your computer or mobile device when it visits other websites.
Cookies we use
Our Site uses the following types of cookies for the purposes set out below:
|Type of cookie||Purpose|
|Essential Cookies||These cookies are essential to provide you with services available through our Site and to enable you to use some of its features. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.|
|Analytics and Performance Cookies||These cookies are used to collect information about traffic to our Site and how users use our Site. The information gathered may include the number of visitors to our Site, the websites that referred them to our Site, the pages they visited on our Site, what time of day they visited our Site, whether they have visited our Site before, and other similar information. We use this information to help operate our Site more efficiently, to gather broad demographic information and to monitor the level of activity on our Site.
We use Google Analytics for this purpose. Google Analytics uses its own cookies. It is only used to improve how our Site works. You can find out more information about Google Analytics cookies here and about how Google protects your data here. You can prevent the use of Google Analytics relating to your use of our Site by downloading and installing the browser plugin available here.
|Social Media Cookies||These cookies are used when you share information using a social media sharing button or “like” button on our Site or you link your account or engage with our content on or through a social networking website such as Facebook or Twitter. The social network will record that you have done this.|
|Functionality Cookies||These cookies allow our Site to remember choices you make when you use our Site. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-select your preferences every time you visit our Site.|
You can typically remove or reject cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings,” “help” “tools” or “edit” facility). Many browsers are set to accept cookies until you change your settings.
Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org.
If you do not accept our cookies, you may experience some inconvenience in your use of our Site. For example, we may not be able to recognise your computer or mobile device and you may need to log in every time you visit our Site.
We may also use pixel tags (which are also known as web beacons and clear GIFs) on our Site to track the actions of users on our Site. Unlike cookies, which are stored on the hard drive of your computer or mobile device by a website, pixel tags are embedded invisibly on webpages. Pixel tags measure the success of our marketing campaigns and compile statistics about usage of the Site, so that we can manage our content more effectively. The information we collect using pixel tags is not linked to our users’ personal data.
Do Not Track Signals
Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not currently respond to do not track signals. To find out more about "Do Not Track," please visit http://www.allaboutdnt.com.
What are your rights concerning our use of your personal information?
Under GDPR your rights include:
- Right of access. You may request to see what data we hold about you.
- Right to rectification and data quality. You may require us to correct data which are inaccurate or incomplete.
- Right to erasure including retention and disposal. The right to be ‘forgotten’. If you have had no contract with us, this can be done immediately. If you have had a contract, we must retain relevant data for seven years. Data older than this can be deleted, though we need to retain your name in our archives as a marker for past transactions.
- Right to restrict processing. In this case we can retain the data but not use it.
- Right of data portability. This does not apply as we do not process data by automatic means.
- Right to object, or to withdraw consent. You can ask us to stop sending you direct marketing communications (e.g. brochures or email newsletters). Note that an ‘unsubscribe’ request will stop future mailings, but that if you require your data to be deleted you must specifically notify us.
If you wish to exercise any of these rights, please email or write to us, and we will respond appropriately as quickly as possible. Furthermore, if you would like to discuss this policy, ask how we use your personal information, provide feedback or make a complaint please email or write to us.
The General Manager
Ffestiniog Railway Holdings Ltd
Former St. Mary’s Church
Telephone: 01766 512400
You can also contact the Information Commissioner’s Office via https://ico.org.uk for information, advice or to make a complaint.
Changes to this privacy notice
This privacy notice was last updated in May 2018.
We may change this privacy notice from time to time as our business and internal practices and/or applicable laws change. We will not make any use of your personal information that is inconsistent with the original purpose(s) for which it was collected or obtained (if we intend to do so, we will notify you in advance whever possible via our website and/or otherwise contacting you by post or email) or otherwise that is permitted by applicable law.