Derwent London Gallery Limited
Privacy Notice for
Derwent London App
1. About this Notice
1.1. Welcome to our privacy notice. Derwent London plc ("Derwent", "we", "our" or "us") is committed to protecting your personal data when you use our services.
1.2. This privacy notice explains how we collect, retain and process your personal data when you use the Derwent London App ("App") and what your rights are over your personal data. The App is available to download on Google Play and Apple's The App Store.
1.3. For details of how we process personal data outside of the Derwent London App please read our Public Privacy Policy and related privacy notices available at: www.derwentlondon.com/texts/privacy-policy
Third-party links
1.4. The App may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to process personal data about you. We do not control these third-party websites and are not responsible for their privacy notices. When you leave the App, we encourage you to read the privacy notice of every website you visit.
2. Who we are
2.1. We are Derwent London Plc, incorporated and registered in England and Wales with company number 01819699. Our registered office is at 25 Savile Row, London W1S 2ER. We are usually a "Controller" of personal data which means that we are responsible for the use of the personal data that we collect from you.
2.2. If you have any questions, comments or complaints about this privacy notice or its contents, please contact us using the details below:
Derwent
London plc
Head Office
25 Savile Row
London W1S 2ER
company.secretary@derwentlondon.com
207 3000
3. Types of Personal Data we Collect
3.1. When we refer to "personal data" we mean information about a living individual from which that individual can be identified. This means that information about organisations is not personal data.
3.2. When you use the App we collect:
3.2.1. First Name.
3.2.2. Surname.
3.2.3. Work Email Address.
3.2.4. Job Function.
3.2.5. Technical information about your use of the App (for example, your device make and model, operating system version, version of the App that you are running, IP address, analytics about your usage of the App, your login data, browser type and version, time zone setting and location, browser plug-in types and versions).
3.3. Depending on the services that you use in the App, we may also collect:
3.3.1. Contact telephone number.
3.3.2. Details of upcoming and previous room bookings and catering orders.
3.3.3. Information that is provided to us in relation to a booking.
3.4. Your device may be set up to use biometric data in order to log-in to the App without your password and to pay for bookings made through the App (for example, using Touch ID or Face ID). We do not get access to this biometric data.
3.5. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate technical information about how you use the App to calculate the percentage of users accessing a specific App feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this notice.
3.6. The App is not intended to be used by children and we do not knowingly process personal data relating to children.
Special categories of personal data
3.7. We do not routinely collect and we do not solicit any special categories of personal data or any information about criminal convictions and offences via the App. Special categories of personal data is information about an individual's race, ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.
If you fail to provide your personal data
3.8. Where we need to collect personal data by law, or under the terms of a contract we have or are entering into with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the contract you have with us but we will notify you if this is the case at the time.
4. How we Collect your Personal Data
4.1. We collect personal data from a number of different sources, including:
4.1.1. From you directly, for example when you register on the App or when you are making a booking on the App.
4.1.2. From someone making a booking on your behalf.
4.1.3. From automated technologies, for example when you interact with the App we may automatically collect technical information about your device and your use of the App such as the pages of the App you have visited and how long you visited them for.
4.2. If you provide us with personal data about someone else you must ensure that you have permission from that person to provide us with their personal data before you give it to us. If you have given us personal data without permission from the individual concerned you must inform us immediately.
4.3. Please contact us if the personal data that you give to us changes so that we can update our records.
5. How we use your Personal Data
5.1. We use your personal data where we have a legal basis to do so, usually this is because:
5.1.1. It is necessary for us to process the personal data to perform a contract that we are about to enter into or have entered into with you.
5.1.2. It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
5.1.3. We need to comply with a legal or regulatory obligation.
6. Purpose for which we will use your Personal Data
6.1. We have set out below, in a table format, a description of the ways we plan to use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
6.2. Note that we may process your personal data for more than one legal basis depending on the specific purpose for which we are using your data. Please contact us using the contact details above if you would like information about the specific legal basis we are relying on to process your personal data where more than one group has been set out in the table below.
|
1 |
Purpose/Activity |
|
To register you as a user of the App |
|
|
Type of Data |
|
|
(a) First Name and Surname |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Performance of a contract with you |
|
2 |
Purpose/Activity |
|
To process and manage your bookings (including where there are in-App purchases) |
|
|
Type of Data |
|
|
(a) First Name and Surname |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Performance of a contract with you |
|
3 |
Purpose/Activity |
|
To process and manage your catering orders with our third-party catering provider Lantana (including where there are in-App purchases) |
|
|
Type of Data |
|
|
(a) First Name and Surname |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Performance of a contract with you |
|
4 |
Purpose/Activity |
|
To record that payments attached to your bookings have been processed and to issue our invoice, and Lantana's invoice, to you |
|
|
Type of Data |
|
|
(a) First Name and Surname |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Performance of a contract with you |
|
5 |
Purpose/Activity |
|
To manage and respond to your enquiries and to communicate with you |
|
|
Type of Data |
|
|
(a) First Name and Surname |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Performance of a contract with you |
|
6 |
Purpose/Activity |
|
To send you information about our available spaces, if you request it |
|
|
Type of Data |
|
|
(a) First Name and Surname |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Performance of a contract with you |
|
7 |
Purpose/Activity |
|
To administer and protect our App and our business (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
|
|
Type of Data |
|
|
(a) First Name and Surname |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Necessary for our legitimate interests
(for running our business, provision of administration and IT services,
network security, to prevent fraud and in the context of a business
reorganisation or group restructuring exercise) |
|
8 |
Purpose/Activity |
|
To improve the App, our services, customer relationships and experiences |
|
|
Type of Data |
|
|
(a) Technical information (for example, your device make and model, operating system version, version of the App that you are running, IP address, analytics about your usage of the App) |
|
|
Lawful basis for processing including basis of legitimate interest |
|
|
Necessary for our legitimate interests (to define types of clients for our services, to keep the App updated and relevant, to develop our business and to inform our marketing strategy) |
Change of Purpose
6.3. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to obtain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the contact details above.
7. Disclosure of Personal Data
7.1. If you book a room through the App the booking will be with Derwent London Gallery Limited. Derwent London Gallery Limited processes personal data about the booking as a Controller in accordance with this privacy notice except as varied by any privacy notice that is separately issued by them.
7.2. If you order catering services when making a booking, we may share your personal data with our third-party caterer Lantana so that they can provide their catering services to you. Lantana processes personal data about you as a Controller and uses your personal data in order to provide their catering services.
7.3. We use a third-party payment provider called Squareup EUROPE Ltd to process payments for room bookings and catering orders. When you check-out your booking or order on the App you will automatically be taken to our payment provider's webpage and you will be asked to enter your payment details. We do not disclose your personal data to this payment provider, but when making a payment to this payment provider you may give personal data to them. Some of this data may relate to the organisation that you work for or represent but it also may include personal data; Squareup EUROPE Ltd processes your personal data as a Controller. Please visit Squareup EUROPE Ltd privacy policy for further information about how they process personal data.
7.4. There may be other occasions where we share your personal data with other third parties, for example:
7.4.1. With our professional advisors, such as our auditors and solicitors.
7.4.2. With other legal, regulatory, judicial and law-enforcement agencies with whom we may need to share personal data in order to comply with our legal obligations.
7.4.3. To any actual or prospective purchaser of our business assets or organisation.
8. Transfers of Personal Data
8.1. If we transfer personal data outside of the UK to a country that is not in the EEA we take steps to ensure a similar degree of protection is afforded to it in that country by putting safeguards in place, for example by using contract terms that have been approved by the UK Information Commissioner's Office.
9. Keeping Personal Data Secure
9.1. We know that you provide your personal data in good faith and expect it to be looked after. We take the security of your personal data seriously and we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They are only permitted to process your personal data on our instructions and they are subject to a duty of confidentiality.
9.2. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
9.3. We have also taken steps internally in order to ensure that our systems adequately protect your personal data. This includes for example:
9.3.1. HTTPS / SSL encryption of data between the user's browser and server;
9.3.2. use of updated and patched software;
9.3.3. storing highly confidential information in encrypted form;
9.3.4. using firewalled IT systems to prohibit unauthorised access
9.3.5. restricted access controls on files and servers containing personal data;
9.3.6. physical security including locked and access-controlled rooms; and
9.3.7. operation of CCTV at our properties.
10. Data Retention
10.1. Under data protection laws, we cannot retain your personal data in a form that identifies you for longer than is necessary to fulfil the purposes for which we collected it. This may include for the purposes of satisfying any legal, accounting, or reporting requirements.
10.2. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirement.
10.3. We retain:
10.3.1. contact information (first name, surname, work email address and job function);
10.3.2. details of upcoming and previous room bookings and catering orders; and
10.3.3. information that is provided to us in relation to a booking,
10.4. throughout the period during which you have a registered account with the App and for 1 month after your registered account is deleted. We delete the contact telephone number provided for a booking on the App within 1 week of the end of the meeting. We may retain this information for a longer period of time if you and we are in contact with each other after your account is deleted or the meeting has ended (for example, if you send us an email or give us a call); usually we retain personal data relating to those communications for 3 months after the date of the last communication.
10.5. We retain technical information about your use of the App for 3 months after the date that you delete your account with the App.
10.6. We may anonymise personal data which means that it is no longer associated with you. We do this for statistical or research purposes so we can improve the services we offer to you. We can use anonymous data indefinitely without further notice to you.
10.7. Please be aware that these retention periods only relate to the personal data obtained via the App. If we are providing any other services to you, or if we have any other communications with each other, we will continue to retain your personal data in accordance with our general retention policy. Please contact our Company Secretary using the contact details above if you have any questions.
11. Your Rights
11.1. Your personal data belongs to you and you have a number of rights over it. You can:
11.1.1. Ask us for details of the personal data we hold and process about you (usually this is called a subject access request).
11.1.2. Ask that any inaccurate information we hold about you is corrected.
11.1.3. Ask that we delete personal data that we hold about you.
11.1.4. Ask that we stop using your personal data for certain purposes.
11.1.5. Ask that we do not make decisions about you using completely automated means.
11.1.6. Withdraw your consent (where consent is a lawful basis used for processing).
11.1.7. Ask that we give you a copy of the personal data that we hold about you, or (where it is technically feasible for us to do so) that we give this personal data to a third party chosen by you, in a commonly-used, machine-readable, format.
11.2. These rights are not available to everyone all of the time. Some are subject to exemptions, and so we may not always able, or required, to comply with your request to exercise these rights. For more information about your rights please read: www.ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
11.3. To exercise your rights please contact us using the contact details above. We would be grateful if you could provide us with as much information as you can so we can respond as soon as we can. Sometimes we may need proof of your identity (for example, your passport or driving licence) before we can fully respond so we can be sure we are giving the correct personal data to the correct individual.
11.4. We usually respond to data subject requests within one month, but it can take longer if your request is particularly complex or if you have a number of requests. You will not usually have to pay a fee, but we reserve the right to charge a fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request.
12. Questions & Complaints
12.1. If you have any questions or complaints about our processing of your personal data, please contact us using the contact details above.
12.2. If, after speaking with us, you are not happy with how we are processing your personal data, you have the right to complain to the Information Commissioner's Office. Further details can be found at www.ico.org.uk
Last updated: October 2021