Last updated on 23rdof May 2018
At Sunhouse Travel Ltd (hereinafter “we”, “us” or “our”) we arecommitted to protectour clients’ privacy and handling their personal data in an open and transparent manner.
2. Who we are
Sunhouse Travel Ltd (‘’the Company’’) is a Cyprus based travel services company that serves corporate and individual client travel needs and offers other travel related services. The Company is also the official handling agents of Thomas Cook UK & Continental Europe in Cyprus.
4. Identity and contact details of the Data Controller and Data Protection Officer.
Sunhouse Travel Ltd, a Cyprus private limited liability company, having registration number HE 65219, is the "Data Controller” pursuant to the GDPR, and related Cyprus Law, and determines how your personal data is kept and processed.
The main establishment and the central administration of the Data Controller is situated at Kolonakiou 16, 1st Floor, 4103 Linopetra, Limassol.
(b) Data Protection Officer (DPO)
The DPO may be contacted directly with regards to all matters concerning this policy and the processing of your personal data including the enforcement of all applicable and available rights.
Official requests may be made by post at Kolonakiou 16, 1st Floor, 4103 Linopetra, Limassol, or electronically at email@example.com.
5. What is personal data?
Personal data within the meaning of this policy is information about an identified or an identifiable person, i.e., information that can be directly or indirectly linked to a particular person.
6. How do we collect your Personal Data
We may collect your Personal Data when you communicate with us via email by informing us of any special requests or preferences you may have, or when you sign up for a newsletter or participate in a promotional offer.
We can collect your Personal Data when you visit our offices or make a reservation by phone.
We may receive your Personal Data from third parties. This may include information from other travel agents and other business partners.
We collect and process certain Personal data from cookies, which are pieces of data stored directly on the computer or mobile device that you are using. Cookies allow us to collect data such as browser type, time spent on the website, pages visited, referring URL, and other aggregated traffic data. We use the data for security purposes, to facilitate navigation, to display data more effectively and to collect statistical data. At this time, we do not respond to browser “Do-Not-Track” signals.
7. What categories of Personal Data we collect and process?
Our customers are mainly individuals, but they may also be legal persons. When customers are legal persons they have representatives and employees whose personal data we may process. When you make travel arrangements with Sunhouse Travel Ltd you provide us with the following information about yourselfand that of your travel companions:
General identification and communication information
Your name, address, e-mail and telephone details, date of birth and additional contact information about you that we may receive through third parties with whom we are dealing (eg travel agents or similar services), ID or passport numbers. A copy of the identity document or passport may be required for further processing by a third party in connection with a reservation (eg airline, hotel, etc.)
Travel destinations, your booking information, any subsequent travel information if relevant (e.g. if you need our help for a connecting flight or if you have booked a transfer or a guided tour), your luggage requirements, seating preferences, hotel room preferences, the date of arrival and departure, information and comments about your service preferences (including room types, facilities, holiday preferences, desired amenities, children's ages or any other views of the services used).
Credit and debit card details
Special categories of personal data
When you use our services, you may be asked for types of personal information that is considered sensitive. Sensitive or Special categories of Personal data includes your nationality, information that could reveal religion as a meal preference and other travel preferences and medical conditions as far as your ability to fly, your travel itinerary, or to provide you with special assistance, as well as any other information deemed sensitive under applicable data protection law. Special categories of personal data will only be processed based on your explicit consent. Such data is only collected when deemed necessary.
If you do not provide us the necessary information we may not be able to enter into an agreement with you, or the legal person you represent, for the requested service and/or we may be unable to fulfil its obligations on the basis of the agreement.
8. What lawful reasons do we have for processing personal data?
In order to proceed with a business relationship our clients must provide their personal data to us which are necessary to operate our business and provide our services.
In accordance with GDPR we may rely on the following lawful reasons when we collect and use personal data to operate our business and provide our products and services:
· Compliance with legal obligations– We may collect and process personal data in order to meet legal and other regulatory obligations.
· Contract– We may process personal data in order to perform our contractual obligationstowards you
· Consent- We may rely on your freely given consent to keep and process your personal data. You have the right to withdraw consent at any time.
· Legitimate interests– We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. A legitimate interest is when we have a legal, business or commercial reason to use our clients’ information. Instances ofsuch processing activities can include, but not limited to initiating legal claims, preparing our defense in litigation procedures, etc.
9. How do we use your Personal Data
Sunhouse Travel Ltdundertakes to ensure that all processing of personal data is lawful, fair and transparent. Data will only be collected for a specific, explicit and legitimate purpose and collecting and processing will not go beyond what is necessary for the purpose of the processing. The processing shall always be adequate, relevant and limited to what is necessary for the purpose for which they are processed. We use your Personal Data for the following purposes:
To manage your bookings. We will use your personal data to provide you with the services you request from us. This includes booking your flight and / or your hotel, arranging a guided tour, transporting, processing your payment and tickets to you and providing any special assistance to you (where you provide your consent).
To send you communications about the services you have requested and to provide you with support. We will use your personal data to send you any communications about the services you have requested from us. This includes sending an email to let you know about changes to your itinerary, or to provide you with a voucher, a ticket or an electronic ticket. We will also provide support and customer service, we will deal with your inquiries, your program changes and complaints.
To send you marketing communications. We will use your information to send you promotional offers, periodic customer satisfaction, market surveys, or quality assurance inquiries (to the extent permitted after we have obtained your consent);
For our business purposes. We will use your information for purposes such as data analysis, auditing, monitoring and prevention of security and fraud, improvement, enhancement or modification of our Services, identifying trends in use, determining the effectiveness of our promotional campaigns, and operating and expanding our business activities.
To comply with applicable laws and regulatory obligations (including laws outside your country of residence) such as those relating to money laundering and the fight against terrorism, to comply with a legal process and to respond to requests by public and governmental authorities (including those outside your country of residence); and
To establish and defend our legal rights, to protect our activities or those of our business associates, our rights, privacy, security or property, you or others; and to pursue available legal remedies or to limit our losses.
10.Children Personal Data
Our services are not intended for use by children under the age of 16. However, we may receive some personal information about children, such as name, date of birth, and copy of an identity document to make your requests, e.g. for booking airline tickets or hotels to minors. We process these data after we have received the explicit consent of the parent or guardian. We do not collect personal data from children under 16 for any reason. In case that we will find out that we have collected personal data from a child under the age of 16 for any other reason, we will delete these data from our systems immediately.
11.Do we share personal data with third parties?
In the course of our business relationship our clients’ personal data may be provided to various departments within our Company.
We do not share your personal datawith thirdparties except to the extent necessary to complete your order and fulfil your travel arrangements. Such thirdparties may include, but are not limited to, appropriate airlines, cruise lines, hotels, other travel suppliers, airline reservation systems and other global distribution systems.
Third parties to whom we may disclose Personal Data may have their own privacy policies which describe how they use and protect Personal Data. If you want to learn more about their privacy practices, we encourage you to visit the websites of those third parties.
12.Do we transfer your personal data outside the European Economic Area?
We store personal data on servers located in the European Economic Area (EEA). We may transfer personal data to reputable third party organisations situated inside or outside the EEA when we have a business reason to engage these organisationsor where it is needed to fulfil our services such as reservations with airlines, hotels etc in accordance with your instructions. Each organisation is required to safeguard personal data in accordance with our contractual obligations and data protection legislation.
13.Personal data security.
We have put in place appropriate technical and organisational measures including physical, electronic and procedural measures to protect personal data from loss, misuse, alteration or destruction. We restrict access to information at our offices so that only officers and/or employees who need to know the information have access to it. Those individuals who have access to the data are required to maintain the confidentiality of such information. In addition, we have trained our employees on how to handle, manage and process personal data, applied upgraded technical measures and transformed our policies and procedures in a way that will comply with the GDPR.
Please be aware that the transmission of data via the Internet is not completely secure. Users should also take care with how they handle and disclose their personal data and should avoid sending personal data through insecure email.
14.Retention of personal data.
We will keep our clients’ personal data for as long as we have a business relationship.
Once our business relationship has ended, we will hold your personal data on our systems for the longest of the following periods:
a) any retention period that is required by law or regulations;
b) the end of the period in which litigation or investigations might arise in respect of the services or
c) as directed by our own internal retention policies or practices, the length of which may vary depending on the nature of the information that is held.
The personal data processed for the purposes of sending newsletters shall be kept with us until you notify us that you no longer wish your personal data to be used for this purpose.
16.What are your data protection rights?
Subject to the provisions of the GDPR, you have certain rights regarding the Personal Data we collect, process or disclose and that is related to you, including the right:
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds, We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
17.How to raise a complaint
To exercise any of the above rights, or for any questions or complaints about our use of your personal data, please contact our Data Protection Officer, either by post at Kolonakiou 16, 1st Floor, 4103 Linopetra, Limassol, or electronically at firstname.lastname@example.org.
Complaints may also be lodged to the supervisory authority in Cyprus (Office of the Commissioner for Personal Data Protection, by post at 1 Iasonos Str. 1082, Nicosia, Republic of Cyprus. More information can be found at http://www.dataprotection.gov.cy.