Under the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679, Wexas has a legal duty to protect any personal information we collect from you. Wexas Limited of Dorset House, 27-45 Stamford Street, London SE1 9NT is registered as a data controller with the Information Commissioners Office (ICO) under registration number ZA052466.
Personal information we collect and how we use it
Wexas does not capture or store any personal information provided to us, except as provided in this policy. Personal information may be given to Wexas in a variety of circumstances in order to manage your travel effectively. Such information may be provided to us in the following ways:
- You make a booking, enquiry, purchase or subscribe to a membership through one of our Websites or one of our Digital Tools, or through our consultant teams by email, phone, letter, electronic form or in person;
- You make amendments or changes to a booking, enquiry or purchase as above;
- You consent and take part in a survey or provide us with feedback;
- You subscribe to our newsletter and travel updates;
- You enter one of our competitions;
- You accept cookie usage on one of our Websites or Digital Tools allowing us to track information about your computer or device, and your visits to and use of our services
- You send us any other information which is pertinent to the fulfilment of your travel booking, in particular this may extend to personal information about your family members or friends for holiday bookings
- If you work for one of our Corporate clients, you or your company may provide personal information about you as part of a traveller profile form (which may be completed by you or someone who works with you);
All telephone calls are recorded and monitored for quality and training purposes and these may contain personal information and are backed-up and stored for up to one year. All email correspondence is stored locally and backed-up and can be accessed up to three years later for quality and regulatory purposes. Bookings and travel records are held for seven years after travel to comply with UK regulations. Travel profiles are held while you remain an active client/traveller and for Corporate clients we rely on your employer to notify us about leavers and joiners. We have a regular review process to keep Corporate traveller profiles up-to-date.
Any marketing materials we send you will be sent to you by post or in electronic format. Should you wish to remove your details from our email marketing list, then you will need to follow the unsubscribe link at the bottom of our emails. Should you wish to opt-out of postal mailings, then please contact Wexas via telephone, email or letter and we will change your preferences accordingly.
If you provide payment details to us to facilitate a travel booking, then this information is stored on secure, encrypted databases that comply with the Payment Card Industry (PCI-DSS) security standards and is only used for payment and accounting purposes.
Wexas may use aggregate information and statistics for the purposes of monitoring Websites’ and Digital Tools’ usage, in order to help us develop our Websites and Digital Tools and our services and may provide such information in aggregate to third parties. These statistics and data will not include any information that can be used to identify any individual.
Additionally some or all of our Websites and Digital Tools use:
Bing and Google AdWords
Facebook and Instagram
We use a Facebook ‘pixel’ to collect aggregated, anonymised data about the behaviour of our website visitors, in order to promote relevant adverts to them on Facebook and Instagram. The ‘pixel’ is a cookie that collects data about what webpages a visitor has been on, aggregates demographic data (e.g. age range, gender) and whether somebody who has visited our website via Facebook has gone on to make a ‘conversion’ (e.g. make an enquiry, request a brochure, sign up to our newsletter). Typically we use this data to provide relevant adverts to our Leisure website visitors based on expressed holiday interests from browsing our website. At no point in time do we know the users’ identities when collecting the data and advertising to them.
Dotmailer is an email marketing platform that we use to send our databases’ emails. We also use Dotmailer to email travel agents with news or occasional relevant information. We use a Dotmailer cookie on our website that tracks whether an individual who has been sent an email has proceeded to order a brochure or make an enquiry. It is possible to identify somebody who has opened one of our emails, including what they have clicked on. We use aggregated data to identify what was popular in any given email so we can better understand clients’ preferences. We also aggregate the data to provide more personalised emails based on a theme of interest. We never use the data to identify individual users’ preferences, only a collated dataset that is impartial.
All data is collected from Hotjar, Google Analytics, Google and Bing AdWords, Facebook pixels and Dotmailer is stored securely in the cloud and is not shared with anybody outside the Wexas digital marketing team.
Wexas will only hold your information for as long as is necessary for the purpose for which it was collected. However in line with our Data Security Policy, some regulatory bodies do require us to hold records for up to seven years after travel. Our Data Security Policy is updated at least once per year and the owner of this policy is our Information Compliance Manager. A copy of this policy may be requested by emailing [email protected].
Save as stated below, your personal information is not disclosed to third parties unless this is indicated by our consultants, or is indicated on our Websites or Digital Tools and/or the relevant form at the point of collecting the information, or as required or allowed by law.
We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 1985.
How we protect your information
Any personal information collected is recorded in secure systems. Any payment transaction details are encrypted and comply with the Payment Card Industry (PCI-DSS) security standards.
All Wexas’ employees and data processors, who have access to or are associated with the processing of personal information, are obliged to respect the confidentiality of that information and employees receive annual training on this. Access to our systems is secured by password. Should Wexas receive any complaint, notice, request or communication which relates directly to the processing of your personal information by a third party supplier (whether travel principal or technology supplier) and the supplier’s compliance with Data Protection laws, we shall notify you as soon as possible (and in the case of our Corporate clients, your company, deemed to be acting on behalf of its employees and contractors) of any breach or suspected breach of personal information.
Wexas ensures that your personal information is not disclosed to government institutions and authorities, except if required or allowed by law.
All Wexas outbound emails are encrypted, but please note that unless encrypted an email sent from you to us via the internet may not be secure and could be intercepted and read by someone else. Please bear this in mind when deciding whether to include personal information in any email you intend to send us.
Our Websites and Digital Tools may contain links to and from other websites, including those of our suppliers. If you follow a link to any of these websites, please note that these websites will have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check external websites policies before you submit any personal information to these websites.
Data protection by design
Wexas is PCI-DSS certified and our Data Protection Policy covers all new processes, technology and procedures introduced at Wexas including Data Protection at the design stage.
Clients 16 and under
If you are aged 16 or under, please get your parent/guardian’s written permission sent to us before you provide personal information to Wexas’ Websites, Digital Tools or consultants. Clients/users aged 16 or under without this consent are not allowed to provide us with personal information.
Accessing your personal information and data Wexas holds on you
Wexas will process any personal information that it collects in accordance with the Data Protection Act 1998. If you wish to access personal information collected from you or you have an enquiry or concern regarding the processing of personal data by Wexas, please make an individual information request to:
[email protected] or write to our Information Compliance Manager at Wexas Limited, Dorset House, 27-45 Stamford Street, London SE1 9NT.
Under the Data Protection Act 1998 you can request a copy of your personal information. Wexas will provide you with a legible copy of the personal information it holds and to which you are entitled. This will be sent to you within 30 days of your request. Please note Wexas requires proof of your identity before supplying the information and may ask you for further information to assist in locating your personal information. Individual traveller requests are free of charge, although Corporate or group/multiple requests may incur charges which are detailed in our Wexas Travel Management transaction fees.
Your right to rectify
You can ask Wexas to update your personal information if something is inaccurate or missing. You do not need to submit an information request to do this, simply send any changes by email or post to your Wexas consultant or account manager.
Your right to restrict processing
If you think there is something wrong with the data being held about you, or you are unsure Wexas is complying with the GDPR rules, you can restrict any further use of your personal information until the problem is resolved. However please note we will not be able to make any future travel bookings or provide tickets/documentation for imminent travels while such a restriction is in place.
Your right to erasure
From 25th May 2018 you have the right to erasure, which means post an individual or Corporate data request, you may instruct Wexas to erase the personal information we hold on you. Subject to there being no legal reasons to retain this information, Wexas will erase the information within one month (Corporate) and three months (Leisure and holidays) and provide you with a written confirmation of its erasure. In cases where we are required to keep travel records for legal or regulatory reasons or for the integrity of trend reporting for Corporate clients, we may anonymise your personal information rather than erase it, but your information will be anonymised in a non-redactable way.
Your right to data portability
You can request a copy of your information by writing to the Wexas Limited Information Compliance Manager at [email protected] or by post at Dorset House, 27-45 Stamford Street, London, SE1 9NT. Your information will be provided via electronic media in a commonly used format which is compatible with other IT systems.
For individual Leisure clients this information will be provided free of charge, although we reserve the right to charge for repeated or excessive requests.
For Corporate clients wishing to transfer their individual travellers’ personal information and/or travel records to a new travel management provider, written requests for these transfers may be made to your Wexas account manager. Please note there is a charge for the secure, encrypted transfer of Corporate client data by account and these charges are detailed in our Wexas Travel Management Transaction Fees. Typically Corporate client data transfers take between 14 to 28 days to complete. Where individual Corporate travellers have or continue to make personal holiday or travel arrangements with Wexas, this data will be retained.
Your right not to be subject to automated decision making
At the present time Wexas does not use automated decision making in any of its processes. Should this change, Wexas will always provide an opt-out capability and will always review any objections within the GDPR framework.
Unless otherwise agreed, no delay, act or omission by us or you in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
This policy will be governed by and interpreted according to the laws of England and Wales. All disputes arising under this policy will be subject to the exclusive jurisdiction of the England and Wales courts.
Wexas Limited | May 2018