Under the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679, Wexas Limited has a legal duty to protect any personal information we collect from you. Wexas Limited of Dorset House, 27-45 Stamford Street, London SE1 9NT is registered as a data controller with the Information Commissioners Office (ICO) under registration number ZA052466.
Wexas does not capture or store any personal information provided to us, except as provided in this policy. Personal information may be given to Wexas in a variety of circumstances in order to manage your travel effectively. Such information may be provided to us in the following ways:
All telephone calls are recorded and monitored for quality and training purposes and these may contain personal information and are backed-up and stored for up to one year. All email correspondence is stored locally and backed-up and can be accessed up to three years later for quality and regulatory purposes. Bookings and travel records are held for seven years after travel to comply with UK regulations. Travel profiles are held while you remain an active client/traveller and for Corporate clients we rely on your employer to notify us about leavers and joiners. We have a regular review process to keep Corporate traveller profiles up-to-date.
Any marketing materials we send you will be sent to you by post or in electronic format. Should you wish to remove your details from our email marketing list, then you will need to follow the unsubscribe link at the bottom of our emails. Should you wish to opt-out of postal mailings, then please contact Wexas via telephone, email or letter and we will change your preferences accordingly.
If you provide payment details to us to facilitate a travel booking, then this information is stored on secure, encrypted databases that comply with the Payment Card Industry (PCI-DSS) security standards and is only used for payment and accounting purposes.
Wexas may use aggregate information and statistics for the purposes of monitoring Websites’ and Digital Tools’ usage, in order to help us develop our Websites and Digital Tools and our services and may provide such information in aggregate to third parties. These statistics and data will not include any information that can be used to identify any individual.
Additionally some or all of our Websites and Digital Tools use:
We use a Facebook ‘pixel’ to collect aggregated, anonymised data about the behaviour of our website visitors, in order to promote relevant adverts to them on Facebook and Instagram. The ‘pixel’ is a cookie that collects data about what webpages a visitor has been on, aggregates demographic data (e.g. age range, gender) and whether somebody who has visited our website via Facebook has gone on to make a ‘conversion’ (e.g. make an enquiry, request a brochure, sign up to our newsletter). Typically we use this data to provide relevant adverts to our Leisure website visitors based on expressed holiday interests from browsing our website. At no point in time do we know the users’ identities when collecting the data and advertising to them.
Dotmailer is an email marketing platform that we use to send our databases’ emails. We also use Dotmailer to email travel agents with news or occasional relevant information. We use a Dotmailer cookie on our website that tracks whether an individual who has been sent an email has proceeded to order a brochure or make an enquiry. It is possible to identify somebody who has opened one of our emails, including what they have clicked on. We use aggregated data to identify what was popular in any given email so we can better understand clients’ preferences. We also aggregate the data to provide more personalised emails based on a theme of interest. We never use the data to identify individual users’ preferences, only a collated dataset that is impartial.
When a booking is made, as part of the booking process, your booking information is uploaded to Feefo, an independent review website. Feefo will then contact you via that email address to ask you to review the service you received with Wexas. You may choose to decline, review anonymously or review with your name associated with the review. Feefo do not use the data for any other purpose, and your data is held securely by Feefo.
All data is collected from Hotjar, Google Analytics, Google and Bing AdWords, Facebook pixels, Dotmailer and Feefo is stored securely in the cloud and is not shared with anybody outside the Wexas digital marketing team.
Wexas will only hold your information for as long as is necessary for the purpose for which it was collected. However in line with our Data Security Policy, some regulatory bodies do require us to hold records for up to seven years after travel. Our Data Security Policy is updated at least once per year and the owner of this policy is our Information Compliance Manager. A copy of this policy may be requested by emailing [email protected].
Save as stated below, your personal information is not disclosed to third parties unless this is indicated by our consultants, or is indicated on our Websites or Digital Tools and/or the relevant form at the point of collecting the information, or as required or allowed by law.
We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 1985.
Any personal information collected is recorded in secure systems. Any payment transaction details are encrypted and comply with the Payment Card Industry (PCI-DSS) security standards.
All Wexas’ employees and data processors, who have access to or are associated with the processing of personal information, are obliged to respect the confidentiality of that information and employees receive annual training on this. Access to our systems is secured by password. Should Wexas receive any complaint, notice, request or communication which relates directly to the processing of your personal information by a third party supplier (whether travel principal or technology supplier) and the supplier’s compliance with Data Protection laws, we shall notify you as soon as possible (and in the case of our Corporate clients, your company, deemed to be acting on behalf of its employees and contractors) of any breach or suspected breach of personal information.
Wexas ensures that your personal information is not disclosed to government institutions and authorities, except if required or allowed by law.
All Wexas outbound emails are encrypted, but please note that unless encrypted an email sent from you to us via the internet may not be secure and could be intercepted and read by someone else. Please bear this in mind when deciding whether to include personal information in any email you intend to send us.
Our Websites and Digital Tools may contain links to and from other websites, including those of our suppliers. If you follow a link to any of these websites, please note that these websites will have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check external websites policies before you submit any personal information to these websites.
Wexas is PCI-DSS certified and our Data Protection Policy covers all new processes, technology and procedures introduced at Wexas including Data Protection at the design stage.
If you are aged 16 or under, please get your parent/guardian’s written permission sent to us before you provide personal information to Wexas’ Websites, Digital Tools or consultants. Clients/users aged 16 or under without this consent are not allowed to provide us with personal information.
Wexas will process any personal information that it collects in accordance with the Data Protection Act 1998. If you wish to access personal information collected from you or you have an enquiry or concern regarding the processing of personal data by Wexas, please make an individual information request to:
[email protected] or write to our Information Compliance Manager at Wexas Limited, Dorset House, 27-45 Stamford Street, London SE1 9NT.
Under the Data Protection Act 1998 you can request a copy of your personal information. Wexas will provide you with a legible copy of the personal information it holds and to which you are entitled. This will be sent to you within 30 days of your request. Please note Wexas requires proof of your identity before supplying the information and may ask you for further information to assist in locating your personal information. Individual traveller requests are free of charge, although Corporate or group/multiple requests may incur charges which are detailed in our Wexas Travel Management transaction fees.
You can ask Wexas to update your personal information if something is inaccurate or missing. You do not need to submit an information request to do this, simply send any changes by email or post to your Wexas consultant or account manager.
If you think there is something wrong with the data being held about you, or you are unsure Wexas is complying with the GDPR rules, you can restrict any further use of your personal information until the problem is resolved. However please note we will not be able to make any future travel bookings or provide tickets/documentation for imminent travels while such a restriction is in place.
From 25th May 2018 you have the right to erasure, which means post an individual or Corporate data request, you may instruct Wexas to erase the personal information we hold on you. Subject to there being no legal reasons to retain this information, Wexas will erase the information within one month (Corporate) and three months (Leisure and holidays) and provide you with a written confirmation of its erasure. In cases where we are required to keep travel records for legal or regulatory reasons or for the integrity of trend reporting for Corporate clients, we may anonymise your personal information rather than erase it, but your information will be anonymised in a non-redactable way.
You can request a copy of your information by writing to the Wexas Limited Information Compliance Manager at [email protected] or by post at Dorset House, 27-45 Stamford Street, London, SE1 9NT. Your information will be provided via electronic media in a commonly used format which is compatible with other IT systems.
For individual Leisure clients this information will be provided free of charge, although we reserve the right to charge for repeated or excessive requests.
For Corporate clients wishing to transfer their individual travellers’ personal information and/or travel records to a new travel management provider, written requests for these transfers may be made to your Wexas account manager. Please note there is a charge for the secure, encrypted transfer of Corporate client data by account and these charges are detailed in our Wexas Travel Management Transaction Fees. Typically Corporate client data transfers take between 14 to 28 days to complete. Where individual Corporate travellers have or continue to make personal holiday or travel arrangements with Wexas, this data will be retained.
At the present time Wexas does not use automated decision making in any of its processes. Should this change, Wexas will always provide an opt-out capability and will always review any objections within the GDPR framework.
Unless otherwise agreed, no delay, act or omission by us or you in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
This policy will be governed by and interpreted according to the laws of England and Wales. All disputes arising under this policy will be subject to the exclusive jurisdiction of the England and Wales courts.
Wexas Limited | May 2018