Grosvenor Tours (“Cullinan”, “we”, “us”, “our”) strive to ensure that our use of the Personal Information of data subjects is lawful, reasonable, and relevant to our business activities, with the ultimate goal of improving your experience as a prospective or existing customer, Service Provider or employee of Cullinan.
- We offer (among others) the following services (“our Services”):
- travel, tourism and leisure-related products and services;
- We collect Personal Information about you when you:
- contract with us for our Services;
- book or inquire about any of our Services;
- access our Website, mobile applications or related software systems;
- contact us, or otherwise interact with us; and/or
- join Grosvenor Tours as an agent, broker, sales associate, or employee.
- This Policy applies to all external parties with whom we interact, including but not limited to:
- applicants, individual customers, potential customers and recipients of our Services (including individuals who book or enquire about our Services with or through us or who are the recipients of any Services booked with or through us);
- representatives of customer organisations;
- individuals whose Personal Information is collected from other companies in our Group (such as where you have consented to your Personal Information being disclosed to other group companies for marketing purposes);
- our suppliers and service providers;
- visitors to our offices;
- other users of our Services.
By providing us with your Personal Information, you:
WHAT PERSONAL INFORMATION DO WE COLLECT?
- “Personal Information” refers to private information about an identifiable living natural or juristic person. Personal Information does not include information that does not identify a person or anonymized information.
- The Personal Information we collect may differ according to the Services you receive from Grosvenor Tours. We may process various categories of Personal Information, such as:
- Identity Information, when interacting with us as a customer, including information concerning your name, company name, identity and registration numbers, title, date of birth, gender, and legal status, languages, physical address;
- Contact Information, which includes your billing address, service addresses, physical address, email address and telephone numbers;
- Credit Information, to assess our transactional risk and your creditworthiness, including credit history reports from credit bureaus (with your consent where required by law);
- Criminal behaviour history, where permitted in respect of prospective employees and job applicants;
- Financial Information, where permitted, including bank account details, bank statements and financial statements;
- Human Resources in respect of our own employees, including leave records, job applications, medical aid information to administer employment contracts and comply with our legal obligations;
- Tax Information where permitted, which includes IRP5 records, PAYE records and VAT registration numbers;
- Technical Information, which includes your internet protocol (IP) address, browser type and version, time zone setting and location, operating system and platform, on the devices you use to access our Website, products or Services
- Enquiry and booking information, including information concerning enquiries and bookings made with or through us for tourism, travel, leisure or related services, including where you are making the enquiry or booking or are the recipient of the travel services to which the enquiry or booking relates. This information may include:
- records of enquiries and searches for holiday and travel products made by or on your behalf, details of your personal preferences, needs and other relevant information;
- quotes, proposals, estimates and other information given in response to enquiries;
- details of the holiday, accommodation, travel, car hire, and other tourism, travel, leisure or related services booked or enquired about;
- details of the passengers travelling and details of the provider of the travel services (such as tour operators);
- payment card details, passport information and visa information, foreign exchange requirements; and
- where required, special Personal Information such as health, medical, dietary, mobility, disability, religious or other special requirements.
- Transaction Details concerning you as an individual, which includes your name, age, gender, address, telephone, mobile, fax, e-mail, contact details, proof of identity and address, copies of passports, driving licences, and utility bills, payment card details, and financial information, health information relevant to your planned travel, and travel insurances held, credit status, your preferences, frequent flyer or travel partner program affiliation and member number, and any other information provided to us by or in relation to you which concern you as an individual.
- Business-related information, if you are an individual associated with a business or other organisation that is our customer, then your Personal Information may include the following information that we link to you:
- business or organisation details (such as name, address, telephone numbers, payment arrangements, financial information, etc.)
- your relationship with that business or organisation (such as owner, partner, director, shareholder, employee, or agent);
- your contact details within that business (such as work address, work telephone and mobile numbers, work fax number, and work e-mail address.
- Correspondence, including messages between you and us, and between us and third parties, including correspondence relating to any booking or enquiry, or performance of any contract.
- Competition information, including Personal Information, collected during any competitions or promotions held by us or our Associates.
- Account, Registration, Membership and Loyalty Information, including your participation in any loyalty program.
- Usage Information, which includes information as to your access to and use of our Website, products and Services.
- Marketing and Communications Information, which includes your preferences in respect of receiving marketing information from us and your communication preferences.
SPECIAL PERSONAL INFORMATION
Where we need to process your Special Personal Information, we will do so in the ordinary course of our business, for a legitimate purpose, and per applicable laws.
HOW WE COLLECT PERSONAL INFORMATION?
- You directly provide Grosvenor Tours with most of the Personal Information we process. We collect and process Personal Information in the following ways, namely:
- through direct or active interactions with you;
- through passive or automated collections;
- in the course of providing our Services to you or your organisation, including where you register as a customer to use any of our Services or you opt-in to receiving any direct marketing from us;
- in evaluating job applicants and onboarding Employees;
- from third parties, where permitted.
- Direct or active collection
- We may require that you submit certain information to enable you to access portions of our Website, to make use of our Services, to facilitate the negotiation and conclusion of an agreement with us, or that is necessary for our compliance with our statutory, professional or regulatory obligations.
- We also collect Personal Information when you communicate directly with us. For example:
- Via email, meetings and telephone calls;
- When you fill in forms or registers, or make a purchase with us;
- When you voluntarily complete a customer survey, provide feedback or ask for marketing information to be sent to you.
- If you contact us, we reserve the right to retain a record of that correspondence or telephone call, which may include Personal Information.
- The Personal Information we collect from you may include any of the categories listed in the paragraph above depending on what will be necessary to perform the Services.
- Passive (automated) collection
- We may passively collect certain categories of your Personal Information from the devices that you use to access and navigate our Website or to make use of our Services (“Access Devices”) using server logs and your browser’s cookies.
- The categories of Personal Information we passively collect from your Access Device may include your:
- Technical Information;
- Usage Information; and/or
- Any other Personal Information which you expressly permit us, from time to time, to passively collect from your Access Device.
- Indirect collection (from third parties)
- We may also receive your Personal Information indirectly from, among others, the following sources (including public parties):
- our information technology suppliers;
- law enforcement;
- credit bureaus (with your consent, where required by law).
- from other Responsible Parties where we act as contracted outsourced processors (“Operators”) in performing our Services, including:
- providers of any holidays, accommodation, and other tourism, travel, leisure or related services which are enquired about or booked, and their intermediaries;
- Banks and other financial institutions;
- Telecommunications providers;
- When we collect your Personal Information from third parties it is either because you have given us express consent to do so, your consent was implied by your actions, or because you provided consent, either explicit or implicit, to the third party that provided this information to us.
- We may also receive your Personal Information indirectly from, among others, the following sources (including public parties):
HOW WE USE YOUR PERSONAL INFORMATION
- We Process your Personal Information in the ordinary course of the business of providing our Services.
- We also use the Personal Information we collect to maintain and improve our Website and to improve the experience of its users, to facilitate the provision of our Services to you, and to comply with our statutory and regulatory obligations.
- We use your Personal Information only for the purpose for which it was originally collected by the relevant Responsible Party and strictly in accordance with their instructions. We only use your Personal Information for a secondary purpose only if such a purpose constitutes a legitimate interest and is closely related to the original purpose and instructions for which the Personal Information was collected.
- We may process your Personal Information during the course of various activities, including but not limited to, the following:
- providing our Services at your request;
- processing, collecting and administering payments for our Services rendered;
- providing customer support and responding to and communicating with you about your requests, questions and comments (including responding to booking enquiries and searches for holidays and corporate travel);
- transfer of limited and necessary information to our Service Providers and other third parties where required to perform our obligations to you (including providers of any holidays, accommodation, and other tourism, travel, leisure or related services which are enquired about or booked, and their intermediaries);
- with your consent (where required by law), for relationship management and marketing purposes in relation to our Services, including, but not limited to, the development and improvement of our Services, marketing activities (promotions and special offerings), and for accounts management to establish, maintain and/or improve our relationship with you;
- to keep internal records and maintain reasonable archives, including enquiries, bookings, contracts, travel services, and complaints;
- to carry out direct marketing to you (see Direct Marketing section below for further information);
- to detect, prevent, manage and protect against actual or alleged fraud, security breaches, misuse, and other prohibited or illegal activity, claims and other liabilities;
- to protect our rights in any litigation that may involve you;
- to comply with our regulatory reporting obligations, including submissions to the South African Reserve Bank, Financial Intelligence Centre, South African Revenue Services, Information Regulator and/or other authorities;
- for other lawful and legitimate purposes that are relevant to our business operations or regulatory functions.
- conduct our recruitment and hiring process, which includes, referrals, capturing job applicant’s details and providing status updates to job applicants to protect our legitimate interest in ensuring a safe working environment.
- operate, evaluate and improve our business units, including:
- developing new products and services;
- managing our communications;
- determining the effectiveness of our sales, marketing and advertising;
- analysing and enhancing our products, services, websites and apps;
- maintaining the safety, security and integrity of our Website, products and services, databases, networks and other technology assets, and business;
- performing accounting, auditing, invoicing, procurement, reconciliation and collection activities; and
- improving and maintaining the quality of our customer service;
- for the purpose otherwise described to you when collecting your Personal Information, or as otherwise outlined in POPIA.
- Grosvenor Tours will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
DIRECT MARKETING (ELECTRONIC)
- Grosvenor Tours would like to send you information about our product and service offerings we believe may be of interest to you.
- We may send marketing materials to our customers’ email addresses (including individuals who book or enquire about our Services with or through us or who are the recipients of any Services booked with or through us) as permitted by POPIA, provided that:
- your name and contact details were obtained in the context of the sale of our products or Services (including any inquiries, requests or bookings concerning our products and Services);
- we contact you to market our similar products or Services.
- you may opt-out at any time and free of charge on any of our marketing communications or by emailing firstname.lastname@example.org
- If you are not our customer, we may send marketing materials to where you give us your express “opt-in” consent (either digitally or in-person) to send you marketing materials through your preferred electronic channels of communication, provided that we shall keep a record of your consent and you may opt-out any time and free of charge on any of our subsequent marketing communications.
- Once you have chosen to opt-out, we may send you written confirmation of receipt of your opt-out request (which may be in electronic form), and we will thereafter not send any further direct marketing communication to you. However, you may continue to receive communication from us on matters of a regulatory nature, which are not marketing related.
LEGAL BASIS FOR COLLECTING AND PROCESSING INFORMATION
We will only collect and process your Personal Information where:
- You have provided us with your consent (as permitted by law);
- To perform in terms of a contract with you;
- To protect your legitimate interests;
- To pursue our legitimate interests and our customers’ legitimate interests which include:
- providing Services to and managing our relationship with existing customers;
- fraud and financial crime detection and prevention;
- information, system, network, and cybersecurity;
- general corporate operations, due diligence and risk assessment;
- complying with a legal obligation, and/or enforcing and defending legal claims.
COMPULSORY PERSONAL INFORMATION AND CONSEQUENCES OF NOT SHARING WITH US
Where we are required to process certain Personal Information by law, or in terms of a contract that we have entered into with you, and you fail to provide such Personal Information when requested to do so, we may be unable to perform in terms of the contract in place or are trying to enter into with you. In such a case, we may be required to terminate the contract and/or relationship with you, upon due notice to you, which termination shall be done in accordance with the terms of that contract and any applicable legislation.
DISCLOSURE OF PERSONAL INFORMATION
- We may disclose your Personal Information to our contracted Responsible Parties, Service Providers and Associates for legitimate business purposes, in accordance with applicable law and subject to applicable professional and regulatory requirements regarding confidentiality and appropriate data protection measures.
- In addition, we may disclose your Personal Information:
- where it is necessary for the purposes of, or in connection with, actual or threatened legal proceedings or establishment, exercise or defence of legal rights;
- With our contracted agents, advisers, auditors, consultants, service providers, suppliers, banking partners and other Operators who process Personal Information on our behalf and whose assistance we require to conduct our business operations and that:
- where such Personal Information is necessary for the performance of their obligations to or on behalf of Grosvenor Tours (i.e., records storage, payroll, server hosts); and
- based on our instructions, are not authorised by us to use or disclose the information except as strictly necessary to perform the services on our behalf as instructed or to comply with legal requirements.
- With third party Operators to the extent that they require such specific Personal Information in the provision of services for or to us, which include hosting, development and administration, technical support and other support services relating to our Website and/or the operation of our business divisions. We will only authorise the processing of any Personal Information by a third-party Operator on our behalf by, among others, entering into agreements with those third parties governing our relationship with them and highlighting instructions, confidentiality, security and non-disclosure obligations.
- to enable us to enforce, implement, or apply any other contract between you and us, or any contract where we act as an agent of the principal contracted with you;
- to mitigate any actual or reasonably perceived risk to us, our customers, employees, contractors, agents, brokers or any other third party;
- to any relevant third party acquirer(s), in the event that we sell or transfer all or any portion of our business or assets (including, but not limited to, in the event of a reorganization, dissolution or liquidation);
- With governmental agencies, exchanges and other regulatory or self-regulatory bodies, if required to do so by law or there is a reasonable belief that such is necessary for:
- compliance with the law or with any legal process;
- the protection and defence of the rights, property or safety of Cullinan, our customers, employees, contractors, suppliers, service providers, agents, brokers or any third party;
- the protection of the rights, property or safety of members of the public (if you provide false or deceptive information or make misrepresentations, we may proactively disclose such information to appropriate regulatory bodies).
- Performance of contract, bookings and suppliers (foreign countries)
- We will disclose your Personal Information (particularly your name and date of birth) to third parties (including intermediaries) as strictly necessary to deal with your booking enquiry, to make any booking requested by or for you, to perform and administer any booking for you or contract in respect of you. This may include applying for visas on your behalf, collecting payments made by you, investigating and responding to complaints, and enforcing any booking or other contract with you. Categories of third-party recipients may include any incoming travel agencies, accommodation facilities, airline, coach, cruise, ferry or train operators, car hire companies, tour operators, etc.).
- In this context, the said Personal Information must also be forwarded to companies domiciled in foreign countries, (e.g. an airline) or if the booked trip goes to a foreign country. We expressly draw your attention to the fact that there is often not a level of data protection in foreign countries that is equivalent to that of South Africa and, therefore, there is the risk that the information may not be protected accordingly. Personal Information is transmitted to these foreign countries usually on the basis of Section 72(1)(c) and/or Section 72(1)(d) and/or Section 72(1)(e) of POPIA. In the individual case, we cannot inform the customer that and to whom we transmit the information, as this frequently proves to be impossible or would require a disproportionate effort.
- Travel Insurance
- If an application is made through us to pass onto the insurers for any travel or other insurance to cover you, we will pass your Personal Information on to the insurer. Information provided by you may be put on a register of claims and shared with other insurers to prevent fraudulent claims.
STORAGE AND TRANSFER OF PERSONAL INFORMATION
- We have engaged reputable and trusted organisations as outsourced processors (Operators), and in some cases, as sub-processors to provide data storage and cloud services to securely store your information. Our servers and cloud storage run in secure premises located in South Africa.
- We reserve the right to generally transfer to and/or store your Personal Information on servers in a jurisdiction other than where it was collected, or outside of South Africa in a jurisdiction that may not have comparable data protection legislation; Provided that if the location does not have substantially similar laws to those of South Africa, we will take reasonably practicable steps, including the imposing of suitable contractual terms to ensure that your Personal Information is adequately protected in that jurisdiction.
SECURITY AND INTEGRITY
- We take all reasonable technical and organisational measures to secure the integrity of retained information and protect it from misuse, loss, alteration, and destruction through the use of accepted technological standards that prevent unauthorised access to or disclosure of your Personal Information. Unfortunately, despite our best efforts, no data transmission or storage can be guaranteed to be 100% secure. Therefore, we do not make any warranties or guarantees that content shall be entirely 100% secure nor do we accept any liability of whatsoever nature for loss of privacy resulting from any unauthorised disclosure and/or use of your Personal Information, unless such disclosure and/or misuse is because of our gross negligence. However, we are subject to the Protection of Personal Information Act 4 of 2013, which we comply with.
- Our servers are protected by firewalls and access to Personal Information is limited to minimal authorised personnel of Grosvenor Tours. The security of our Website and IT systems is also tested regularly, and every effort is made to ensure that security is at an optimum level at all times.
- When processing payment card details, we comply with the applicable Payment Card Industry Data Security Standard (PCI-DSS standard).
- We periodically review our Personal Information collection, storage and processing practices, including physical and digital security measures.
- We have established and implemented data breach management procedures to address actual and suspected data breaches and will notify you and the relevant regulatory authorities of breaches where we are legally required to do so and within the period in which such notification is necessary.
RETENTION AND DELETION
- We may retain and process some or all of your Personal Information if and for as long as:
- we are required or permitted by law, or contract with you, to do so;
- it is for lawful purposes that are related to our performance of our obligations and activities; or
- you agree to us retaining it for a specified further period.
- Unless there is a lawful purpose for us to continue processing or storing your Personal Information, we will destroy your Personal Information in the following circumstances:
- the Personal Information is no longer necessary for the purpose for which it was collected or processed; or
- you withdraw your consent to the processing of your Personal Information; or
- you object to the processing of your Personal Information; and
- there are no other lawful grounds for us to continue processing your Personal Information.
- We determine the appropriate retention period for Personal Information by considering, among other things, the nature and sensitivity of the Personal Information, the potential risks or harm that may result from its unauthorised use or disclosure, the purposes for which we process it and whether those purposes may be achieved through other means. We will always comply with applicable legal, regulatory, tax, accounting, labour, or other requirements as they apply to the retention of Personal Information.
- We will destroy your data using effective methods including, among others, shredding.
MAINTENANCE, CORRECTIONS AND ACCESS
- We are required to take all necessary steps to ensure that your Personal Information is accurate, complete, not misleading and up to date.
- Anyone about whom we maintain Personal Information may request to inspect and, if appropriate, correct the Personal Information held by us. It is your responsibility to inform us, or the persons responsible for the maintenance of your Personal Information, should your Personal Information be incorrect, incomplete, misleading or out-of-date by notifying us at contact details in paragraph 2.1 above. We may require additional information from the requesting party to assure itself of the legitimate basis for the request and the identity and authority of the requestor. Upon receipt and verification of the corrected Personal Information, we will adjust our data or records accordingly.
- A request for correction/deletion of Personal Information or destruction/deletion of a record of Personal Information must be submitted using the prescribed Form 2 which is available in our Promotion of Access to Information Manual and the Information Regulator’s website.
- We have service level agreements with third parties who send us Personal Information (either in our capacity as a Responsible Party or Operator). These state that only relevant and necessary information is to be provided as it relates to the processing activity we are carrying out.
- We have destruction procedures in place where a data subject or third party provides us with Personal Information that is surplus to our requirements.
YOUR DATA PROTECTION RIGHTS
- Data protection laws may grant you, among others, the following rights:
- Request access to your Personal Information – enabling you to receive a copy of the Personal Information retained about you;
- Request the correction of your Personal Information – to ensure any incomplete or inaccurate Personal Information is corrected;
- Request erasure of your Personal Information – where there is no lawful basis for the retention or continued processing of your Personal Information;
- Object to the processing of your Personal Information for a legitimate interest (or those of a third party) – under certain conditions where you feel it impacts your fundamental rights and freedoms;
- Request restriction of processing of your Personal Information – to restrict or suspend the processing of your Personal Information to limited circumstances;
- Withdraw consent given in respect of the processing of your Personal Information at any time – withdrawal of consent will not affect the lawfulness of any processing carried out before your withdrawal notice. But may not affect the continued processing of your Personal Information in instances where your consent is not required.
- If an above request/objection is to be made, please use the contact information in paragraph 2.1 above and we will revert within 30 calendar days.
- Our Website and our Services are not targeted at people under the age of 18. We will not knowingly collect Personal Information in respect of persons in this age group without express permission to do so, unless permitted by law.
THIRD PARTY SUB-PROCESSORS/OPERATORS
- IT systems and infrastructure;
- Human resources;
- Hosting and email infrastructure;
- Credit reference agencies;
- Direct marketing / mailing services.
- We conduct due diligence in respect of our external Operators before forming a business relationship. We obtain company documents and references to ensure the Operator is adequate, appropriate and effective for the task we employ them for.
- We may place small text files called “cookies” on your device when you visit our Website. Cookies do not contain Personal Information, but they do contain a personal identifier allowing us to associate your Personal Information with a certain device. Cookies serve useful purposes for you, including:
- Remembering who you are as a user of our Website to remember any preferences you may have selected on our Website, such as saving your username and password, or settings (“functional cookies”);
- allowing our Website to perform its essential functions. Without these cookies, some parts of our Website would stop working (“essential cookies”). For example, information on error messages displayed to users will be collected and the developer team will assess and solve it.
- monitoring how our Website is performing, and how you interact with it to understand how to improve our website or Services (“site analytics”).
- Your internet browser may accept cookies automatically and you can delete cookies manually. However, no longer accepting cookies or deleting them may prevent you from accessing certain aspects of our Website where cookies are necessary.
- As cookies are stored in the web browser used to access our Website, to disable cookies users need to change the settings pertaining to that browser in particular.
PRIVACY POLICIES OF OTHER WEBSITES
- Our Website may contain links to other websites, apps, tools, widgets and plug-ins that are run by third parties. If you visit a third-party website or social media site, you should read that website/ social media’s privacy notice, terms and conditions, and their other policies. We are not responsible for the policies and practices of third parties and social media sites. Any Personal Information you give to those organizations is dealt with under their privacy notice, terms and conditions, and other policies
- If YOU disclose your Personal Information directly to any third party other than Grosvenor Tours, GROSVENOR TOURS SHALL NOT BE LIABLE FOR ANY LOSS OR DAMAGE, HOWSOEVER ARISING, SUFFERED BY YOU AS A RESULT OF YOUR DISCLOSURE OF YOUR PERSONAL INFORMATION TO SUCH THIRD PARTIES.
CHANGE TO THIS POLICY
QUERIES, COMPLAINTS, AND INFORMATION REGULATOR
- If you are located outside of South Africa, you may contact the appropriate regulatory authority in your country of domicile.
ANNEXURE – DEFINITIONS
“Associates” means Grosvenor Tours, subsidiaries and the directors, employees and consultants of Grosvenor Tours or any of its group companies or subsidiaries;
“Operator” means any person or entity that Processes Personal Information on behalf of a Responsible Party.
“Personal Information” means information or data relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to information relating to –
- race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person
“Responsible Party” means the entity that decides how and why Personal Information is Processed. Responsible Parties may instruct Operators to processes Personal Information on their behalf.
“Service Provider” means third party providers of various services with whom Grosvenor Tours engages, including, but not limited to, software licensors, developers and suppliers of software, providers of information technology, communication, file storage, data storage, copying, printing, distribution/logistics, accounting or auditing services, counsel, investigators, attorneys, and employee provident/pension fund administrators, and our insurers and professional advisors;
“Special Personal Information” means Personal Information about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.