We process important, valuable and confidential data on behalf of our customers. We do this in a secure and appropriate way and have prepared this to demonstrate our security commitment in the context of travel procurement and privacy laws.
We (Agiito) act as a data processor, in the majority of cases, when processing our customers’ personal data and will process it in accordance with the UK data protection law and the contractual obligations in our contracts.
This means only processing customer data in accordance with the written instructions of our customers, who are the data controllers.
Where we have entered into standard contractual clauses (SCCs) for the purpose of transferring data outside of the EEA, we take the position of data controller to enable this.
For the purpose of providing travel, meeting and event services we collect, use and disclose personal data. Personal data is any information that can be used to identify you or that we can link to you.
Any user of our services may be asked to provide certain personal data such as: name and contact information (work and home/ mobile phone, fax, email, address); emergency contact names and information; preferences and trip/meeting details e.g. seat preferences, frequent flyer club membership, class of service, meal preferences, hotel/rail/car and other ground transportation membership, special accommodation requests, other personal data supplied by you via your login profiles.
Dependent upon the type of service taken you may also be asked to supply additional documentation such as passport/visa/driver’s licence number, and date of birth.
Data subjects have the right to data portability, access, object, restrict, rectification and erasure of data we may hold on them.
Each of our customers can be assured that we are taking the necessary steps with its suppliers (who are sub-processors of the personal data) to require them to comply with the UK GDPR using both contractual clauses and annual due diligence reviews.
For the purpose of fulfilling the provision of travel, meeting and event services any personal data collected may be shared with or disclosed to our customer, as the data controller, for the purpose of management information, auditing, tracking and other purposes as necessary.
Our related companies, partners, subcontractors, and agents as necessary to fulfil and support the services, including facilitated bookings and assistance, responding to queries, ticket issue, responding to requests, and engagement in customer campaigns or supplier promotions.
Third-party travel service providers to fulfil contractual travel and events services (e.g. Global Distribution Systems (GDSs); trains, hotels, airlines, rental car / and other ground transportation companies, car parking facilities and other travel suppliers for booking purposes.
Additionally; technology platform providers, including, without limitation, online booking tool providers, meeting registration software providers (including onsite and mobile event management solution providers), visa and passport providers; credit card companies and payment collection and processing companies).
When sharing with or disclosing personal data to other parties, as stated above, personal data may be transferred to countries with data protection laws providing a lower standard of protection for your personal data than your country.
We will transfer your personal data in compliance with applicable data protection laws, including having adequate mechanisms in place to protect your personal data when it is transferred internationally e.g. facilitating Model Clauses, data protection agreements.
We are governed by a comprehensive Information Security Policy set and regularly audited by Capita plc. Policies include data security, information technology, physical security, data protection and cybersecurity.
A formal breach notification plan is in place detailing reporting lines and time frames for reporting internally through our incident management tool. Should an incident occur that affects any customers materially, we will notify in accordance with contractual obligations.
We adhere to a data retention policy that ensures that data is only stored as long as necessary to comply with legal and regulatory requirements.
We are an ISO 27001 and Cyber Essential Plus certified company with PCI DSS accreditation and as such are subject to regular internal and external audits against these standards.
We use appropriate technical and organisational security measures to protect the personal data of its customers.
Typically, data is stored within our UK based datacentre which houses our internal systems. These are held on our own equipment with no additional access available to any datacentre staff. Physical security controls include 24x7 monitoring, visitor logs and entry passes. Environmental controls include redundant communications and uninterrupted power supplies (UPS).
Whilst employing security measures to provide both data confidentiality, integrity and availability it should be noted that no transmission over the internet can be guaranteed as secure from illegal or unauthorised activity and so any personal data supplied is done so at your own risk.
You have the right to make a complaint at any time to the UK supervisory authority for data protection issues, the Information Commissioner's Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance – any questions can be directed to firstname.lastname@example.org