Privacy Policy - Hannon Travel

This Privacy Policy (our Policy) sets out the basis on which any personal data within the meaning of the General Data Protection Regulation (GDPR) (EU) 2016/679 is collected and used by us.

Who we are:

We are Eimer Hannon Travel Services Limited trading as Hannon Travel Services (registered number 359954, registered address The Courtyard, 3-4 Academy Street, Navan, Co. Meath) and references to ‘we’, ‘us’ and ‘our’ shall be construed accordingly.

What we do:

We provide International Travel Agency Services to both individuals and companies.

What is personal data?

Personal data is information which relates to an identifiable natural person.

Do we collect personal data?

Yes, when:

you make a booking with us;
your employer makes a booking with us for you;
you use your credit or debit card to pay for your booking;
you fill in your contact details on the ‘Contact’ section of our Site;
you interact with us via social media such as Facebook or Twitter;
you make an enquiry with us;
you download and use our mobile app;
you complete a traveller profile form

It is important to note that we need your personal data in order to book flights and accommodation in your name. If someone other than you provides us with your personal data for purposes of making reservations on your behalf, then we are entitled to presume that they have been authorised by you to do so.

What types of personal data do we obtain?

The data that we obtain includes but is not limited to the following – name, address, date of birth, telephone number, email address, passport number, passport expiry date, nationality (as per passport), health and medical information (where you have volunteered same for purposes of your travel and accommodation requirements).

Categories of data that we collect:

We process personal data relating to the following categories of data subject: our employees, customers who are natural persons and the employees and contractors of our customers who are not natural persons (corporate clients).

How do we use your data?

We use it, in order to:

book flights, hotels and other travel and accommodation services for you;
process payment for your booking;
verify credit or other charge card details;
manage your loyalty and reward programme (if applicable);
identify ways that we can improve our service;
meet our legal and regulatory obligations;
provide you with marketing content that you have consented to receive;
answer your queries.

Why?

To use your information lawfully, we rely on one or more of the following bases:

It is necessary for the performance of a contract to which you are party. For example, when you book flights and accommodation with us or your employer does so in the course of your employment;
It is necessary for purposes of the legitimate interests of third parties (except where those interests are overridden by your interests or fundamental rights and freedoms) such as your employer in the course of your employment;
your consent to such use;
compliance with legal obligations;
protecting the vital interest of you or others.

Do we collect sensitive personal data?

Generally, we do not. Sensitive personal data includes certain categories of personal information, such as that about race, ethnicity, religion or health. On occasion a customer may require or request specific medical assistance, with regard to their travel arrangements or make us aware of a medical condition which, in the interests of that customer’s own health and safety, ought to be brought to an airline’s attention. If that is the case, we will not do so without your consent or otherwise in accordance with article 9(2) of the GDPR.

Our security measures

When you give us personal information, we take steps to make sure that it’s treated securely. We use strict procedures and technical security measures to safeguard your information in our offices and across all of our computer systems, networks, website and mobile app. Our security measures include the following:

pseudonymising or encrypting personal data;
maintaining ongoing confidentiality, integrity, availability, access, and resilience of processing systems and services;
restoring the availability of and access to personal data, in the event of a physical or technical security breach;
testing and evaluating the effectiveness of our technical and organization measures.

Non-sensitive details (your email address etc.) are sent normally over the internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

Where we have given (or where you have chosen) a password which enables you to access our systems, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Do we share personal data with third parties?

Yes, we share personal data with:

third parties in the travel industry with whom you or your employer have made bookings. This includes airlines and hotel operators and other travel and accommodation service providers and their agents and representatives. It also includes companies that provide vital services to the travel industry such as software management and payment processing services (and whose services are used by the airlines and hotel operators with whom you or your employer have made bookings). We also share personal data with regulatory authorities such as immigration and customs control authorities. Except in limited circumstances discussed elsewhere in this policy, it is very important to note that we are not responsible to ensure that any of these third parties are compliant with data protection law;
third parties who provide services to us in the course of our business subject that we disclose only the personal information that is necessary for the purpose of the performance of their services and we have contracts in place that guarantees the security of your data and the integrity of our service providers’ systems. These parties include;

software management services providers;
payment processor service providers;
IT service providers;
professional service providers such as our accountants in the context of auditing our books and records and marketing consultants who help manage our marketing and customer reward programmes;
data security consultants in the context of auditing our data security systems, policies and protocols.

International transfers of data

We may transfer your information outside of the European Economic Area (EU members and Iceland, Liechtenstein and Norway) (EEA) if you are travelling outside of the EEA or if your data requires to be processed outside of the EEA for purposes of your travel within it.

International transfers of data to approved countries

The following countries have been approved by the EU Commission as providing an adequate level of data protection, for the purpose of the international transfer of data: Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay have been approved in full. Canada has been approved for certain types of personal data. The Commission has also approved the transfer of advance airline passenger data to the US, Canada and Australia. International transfers of data to non-approved countries

You should assume that countries which have not been approved by the EU as providing an adequate level of data protection and service providers (such as hotel operators) and their agents and representatives who are located in those countries do not provide appropriate safeguards or an adequate level of protection regarding your data.

Assumption of risk by you

If you elect to travel to a non-approved country, you do so entirely at your own risk and acknowledge and agree that, as regards the adequacy of data protection laws in those countries, you:

are aware of the associated risks;
request that we transfer your data notwithstanding such risk;
consent to us transferring your data in those circumstances.

If you are travelling to a non-approved country, during the course of your work

If you are required to travel to a non-approved country, during the course of your employment, then the transfer of your data is, in the absence of appropriate safeguards for the protection of your data, necessary for purposes of your employment and performance of your employment contract.

USA specific sharing of personal data

Under U.S. Law, U.S. Customs and Border Protection (CBP) will receive certain travel and reservation information, known as Passenger Name Record or PNR data, about passengers flying between the European Union and the U.S.

CBP has undertaken that it uses this PNR data for the purposes of preventing and combating terrorism and other transnational serious crimes. The PNR may include information provided during the booking process. The information will be retained for at least three years and six months and may be shared with other authorities.

Further information about these arrangements, including measures to safeguard your personal data, can be obtained on www.dhs.gov and ec.europa.eu.

Marketing

We require your express consent if we wish to contact you for direct marketing purposes (by email, phone, post or text). You are entitled to withdraw your consent at any time.

How long will we hold your data for?

We will hold your data while you are a customer or while your employer is a customer (and you are required to travel in the course of your employment) and for the minimum period thereafter that we are required pursuant to our legal and regulatory obligations. We will keep your data for no longer than is necessary and then securely delete your data or anonymise it so that it cannot be linked to you.

Your rights

You have the right to:

request a copy of the information that we hold about you. If you would like a copy of some or all your personal information, please contact us using the contact details mentioned below. We will respond to your request within one month;
ensure that your personal information held by us is accurate and up to date. If you would like us to correct or remove information you think is inaccurate, please contact us using the contact details mentioned below;
object to the processing of your personal data on grounds relating your particular situation if we claim that the processing is carried out on the basis that it is necessary for the purposes of our legitimate interests or those of your employer or a third party.
receive the personal data which you have given to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without delay from the current controller if:
the processing is based on consent or on a contract, and
the processing is carried out by automated means.
require that we no longer contact you for marketing purposes (by means of an ‘unsubscribe’ link or ‘Stop’ text message);
be forgotten. Should you wish for us to completely delete all information that we hold about you please contact us using the contact details mentioned below;
lodge a complaint (concerning the manner and means of our processing of your personal data) with the Office of the Data Protection Commissioner (www.dataprotection.ie).

We can only deny your request if we can show compelling legitimate grounds for the processing, which override your interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claim.

Our contact details

If you wish to contact us for any of the reasons set out above or you have any questions about our privacy policy or you wish to make a complaint with regard to the manner and means in which your data is processed by us or with regard to any other matter in relation to your data, you can write, call or email our data protection department at: Hannon Travel Services, The Courtyard, 3-4 Academy Street, Navan, Co. Meath.

Telephone: +353 46 907 5852
Email: Dataprotection@hannontravel.ie

Finally, please note that we may revise or update our policy at any time subject that we will at all times comply with our obligations under the General Data Protection Regulation (GDPR) (EU) 2016/679.