We absolutely respect your right to privacy. Our overall aim is to ensure that our collection and use of personal data is appropriate to the provision of services to you and our clients and is in accordance with applicable data protection laws.
- Who we are
- The personal data we collect about you
- How we store, use and share your personal data for our core business
- How we might otherwise share your personal data and who we share it with
- International transfers
- Data Retention
- Your rights
- Applying for a job at The Original Cottage Company
- Third party sites
- Supporting the NHS Test and Trace system
- Complaints, questions and suggestions
Who we are
The Original Cottage Company Limited is the data controller of the personal data that we collect from you. It is a company registered in England and Wales (registration number 06951692), whose registered office is at Bank House, Market Place, Reepham, Norwich, NR10 4JJ.
The personal data we collect about you
If you (either as an individual or as part of a group booking) are seeking to rent a property or to obtain details about a potential holiday, we will usually collect the minimum information required to fulfil your needs. This will likely include your name, contact details, payment details, date of birth, details of other members of your party plus information on your specific requirements in order to customise your holiday and deliver your specific requirements.
If you sign up to join our mailing list we will collect your name and email address, together with your consent to receive communications from us. This consent can be removed at any time simply by using the unsubscribe button on any of our email communications.
If you are letting or are seeking to let your property, we will usually collect your name, contact details, bank account details and information on your property required to optimise its marketing through our sites.
If you are, or work for, a supplier to The Original Cottage Company Limited, then we will collect the minimum amount of business specific personal data, usually your name, business role and business contact details to enable us to manage the business relationship.
If you are, or work for, a business customer of The Original Cottage Company Limited, then we will collect the minimum amount of business specific personal data, usually your name, business role and business contact details to enable us to manage the business relationship.
How we store, use and share your personal data for our core business
Individuals who rent, or enquire about, a property
We collect, store and use your personal details as outlined above for our legitimate business interests, so that we can fulfil both your immediate and any potential future holiday booking or enquiry needs. This storage and use of your personal data allows you to be contacted about both your current booking or enquiry.
Given that we act as an agent between the hirer / enquirer and the owner / renter of the property, we will share your personal data with the owner / renter as required to either secure your holiday booking or answer your holiday enquiry. The owner/renter of the property may use this personal data to contact you for the purposes of facilitating your holiday booking.
Should you request that we pass on supplementary information that you wish to provide to the owner / renter then we will do so and will only hold that information on your behalf as part of your booking record.
If you provide feedback on a property, we may also share this with the owner / renter which may include disclosing your personal data.
Individuals who join our mailing list
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and, in each case, you have not opted out of receiving that marketing. You will also receive marketing communications from us if you have provided us with your details when you entered a competition or registered for a promotion and gave us your consent as part of that process. As such, we may contact you with details of our properties, services, offers and other marketing items which we believe will be of interest or potential benefit. We do not believe that this storage and use of your personal data will unduly prejudice your rights or freedoms. You can remove your consent at any time using the unsubscribe button on any of our email communications to you.
Individuals who let, or seek to let, a property
We collect, store and use your personal details as outlined above for our legitimate business interests, so that we can market and let your property.
This storage and use of your personal data allows you to be contacted about both any current booking or enquiry, and also - providing you have not opted out of receiving marketing communications - allows us to update you with offers, opportunities and developments which could be both interesting and beneficial in the future. We do not believe that this storage and use will unduly prejudice your rights or freedoms.
Given that we act as an agent between the hirer / enquirer and the owner / renter of the property, we will only share the minimum amount of your personal data with the hirer / enquirer as required to either secure your holiday letting or answer any relevant holiday enquiry. Additionally, should you request that we pass on supplementary information that you wish to provide to the hirer / enquirer then we will do so and will only hold that information on your behalf as part of your letting record.
We collect, store and use the business contact details of individuals working with our business partners for our legitimate business interests in maintaining and managing the commercial relationship between The Original Cottage Company Limited and its commercial suppliers and customers. We do not believe that this storage and use will unduly prejudice the rights or freedoms of these individuals.
All other users of the sites and our services
We collect, store and use your personal data for the following purposes:
- to make the sites available to you; and
- to provide any services that you request.
Sometimes, our use of your personal data is for purposes which are ancillary to the provision of the sites and services, or which are desirable in order to make them to operate more effectively. In those circumstances, we believe we have a legitimate business interest in handling your personal data, and do not believe that this storage and use of your personal data will unduly prejudice your rights or freedoms.
The relevant circumstances are:
- detecting and preventing fraud;
- keeping our websites, apps, products and IT systems secure;
- ensuring that our own processes, procedures and systems are as efficient as possible;
- analysing and enhancing the information that we collect;
- determining the effectiveness of our promotional campaigns and advertising; and
- if you have joined our mailing list and you have given us your consent, contacting you (including by SMS and email) with products and services which we think may interest you.
We also collect anonymised details about visitors to our websites for the purposes of generating site statistics, reporting purposes or improving our website and marketing effectiveness. However, no single individual will be identifiable from the anonymised details we collect for these purposes.
How we might otherwise share your personal data and who we share it with
We will disclose information under the following circumstances:
- Third-party service providers: When we share information with third-party service companies for them to facilitate or to provide certain services on our behalf. This will include:
- IT support service providers;
- third-party service providers who track our customers' use of the sites and our services for us.
- other third-parties who we may need to work with to deliver services and/or facilitate your booking and holiday (including any holiday extras), for example, providers of property management services (including, but not limited to, housekeeping, property maintenance etc).
These third-parties are contracted to use your personal data only as necessary to provide the relevant services to us and are required to maintain full security and confidentiality.
In some, relatively limited, circumstances we need to handle your personal data in a certain way to be able to comply with our legal obligations – for example: if we are requested to disclose your personal data to regulatory bodies or if we need to demonstrate our compliance with applicable law such as any tax and national insurance legislation relating to the payment of personal service company contractors and immigration law.
All of our core cottage rental business systems store and process data within the United Kingdom or European Economic Area (EEA). However, some of our internal management systems use international service providers who may carry out processing outside of the UK or EEA. If this processing is carried out in the USA your data is protected, with additional safeguards in place as required by the GDPR, by the use of Standard Contractual Clauses for each of the service providers concerned. If you would like more details on this, please contact us using DPO@originalcottages.co.uk
Technologies such as cookies, beacons, tags and scripts are used by us and our affiliates, or analytics or service providers. These technologies are used in analysing trends, administering the sites, tracking users’ movements around the sites and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
We employ comprehensive, reasonable and appropriate security measures to protect against the loss, misuse, and alteration of the personal data we process. This includes organisational security (passwords and access controls), physical security (data centre protection) and IT security (encryption). Please note that no transmission over the Internet can ever be guaranteed secure and as a consequence please note that we cannot guarantee the security of any personal data that you transfer over the Internet to us.
We retain information (including personal data) for the minimum reasonable time period to allow us to provide our services and to comply with legal requirements which require us to retain transactional records for six years following the end of the tax year in which you last interact with us. The only exceptions are in cases where we need to keep limited personal data to resolve ongoing disputes, or enforce our agreements.
Should you require more detail about our retention timescales for a specific category of data or information please contact us at DPO@originalcottages.co.uk
You have certain rights in relation to your personal data. If you would like further information in relation to these or would like to exercise any of them, please contact us at DPO@originalcottages.co.uk at any time. You have the right to request that we:
- provide access to any personal data we hold about you;
- update any of your personal data which is out of date or incorrect;
- delete any personal data which we are holding about you;
- restrict the way that we process your personal data;
- prevent the processing of your personal data for direct-marketing purposes;
- provide your personal data to a third-party provider of services;
- provide you with a copy of any personal data which we hold about you; or
- consider any valid objections which you have to our use of your personal data.
We will consider all such requests and provide our response within a reasonable period (and in any event within any time period required by applicable law). Please note, however, that certain personal data may be exempt from such requests in certain circumstances.
If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.
Applying for a job at The Original Cottage Company
When you apply for a job with us, we collect and process a range of personal data in order to assess your suitability for employment. You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.
We ask for:
- personal details including name and contact details
- details of your qualifications, skills, experience and employment history
- information about your current level of remuneration, including benefit entitlements
The legal basis we rely upon for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
We will also ask whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process. The legal bases we rely upon for this are article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation and article 9(2)(b) as the processing is necessary for the purposes of carrying out our obligations in the field of social security and social protection law.
You may also be asked to provide equal opportunities information including information about your ethnic origin, sexual orientation, health, and religion or belief. This is not mandatory – if you don’t provide it, it won’t affect your application. This is done for the purposes of equal opportunities monitoring only and we won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. The legal bases we rely upon are article 6(1)(a) and 9(2)(b) which require your explicit consent.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts. It these situations the legal basis we rely upon is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation.
When we make a job offer we will also seek information from third parties, such as references supplied by former employers and information from employment background check providers. For some roles, we are legally obliged by safeguarding legislation to conduct criminal records checks. This usually applies to roles that may involve working with minors. The legal basis we basis we rely upon is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation.
Sharing your information
Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment. The organisation will then share your data with former employers to obtain references for you and employment background check providers to obtain necessary background and criminal records checks.
Keeping your information
If you are unsuccessful after assessment for the role, we will hold your data on file for 6 (six) months after the end of the relevant recruitment process. At this point your data will be deleted unless you have told us that you would like your details retained in our talent pool. If this is the case, then we would proactively contact you should any further suitable vacancies arise.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in our employee privacy notice.
Third party sites
Supporting the NHS Test and Trace system
This section has been added 14 April 2021 following legislation changes to explain the extent to which we use your data to support the NHS Test and Trace System.
The lawful basis for processing your personal data for NHS Test and Trace has changed from legitimate interest to legal obligation.
You no longer have the right to opt out of sharing your details for the purpose of NHS Test and Trace.
What information do we collect?
We may record your contact information when you visit any of our properties including:
- Telephone number or email address
- Date of visit, arrival time and departure time
How will your information be used?
We will only use this information for the purpose for which it has been collected. Where it is necessary for us to collect information which we would not normally collect in our usual course of business it will only be used for the purposes of NHS Test and Trace. We will not use this information for any other purpose such as marketing.
The legal basis for using your information
Processing your personal data for the purposes of NHS Test and Trace is necessary for The Original Cottage Company to comply with its legal obligation as set out in the Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020.
Who will your information be shared with?
NHS Test and Trace will only ask The Original Cottage Company for this information where it is necessary, either because someone who has tested positive for COVID-19 has listed one of our properties as a place they visited recently, or because one of our properties has been identified as the location of a potential local outbreak of COVID-19.
We will only share this information when it is requested by NHS Test and Trace. We will ensure that this information is shared in a safe and secure way.
Where information is shared with NHS Test and Trace the Department of Health and Social Care (DHSC) will be the data controller for the information at the point it receives the data from The Original Cottage Company. The DHSC Privacy notice for maintaining records to support NHS Test and Trace is available at https://www.gov.uk/government/publications/privacy-notice-for-maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace/privacy-notice-for-maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace
How long will we keep your information?
Information that is collected solely for the purposes of NHS Test and Trace will be retained for 21 days from the departure date of your visit after which time it will be automatically and securely deleted.
The NHS Test and Trace Scheme helps us to keep you safe. The Original Cottage Company is required by law to record and share your data if it is requested by the NHS, in order to participate in this scheme.
Complaints, questions and suggestions
UK Data Protection
We have a Data Protection Officer to assist with all queries regarding our processing of personal data who can be contacted via DPO@originalcottages.co.uk
Article 27 Representative
Article 27 of the EU GDPR requires organisations that process EEA residents’ data, and that are based outside the European Economic Area (EEA), to appoint a EEA Representative.
The Original Cottage Company does not have an establishment in the EU, and so, in compliance with EU GDPR, the company has appointed an EEA Representative. Our Representative is the first point of contact for both EEA residents and EU supervisory authorities and can be contacted via EEArep@originalcottages.co.uk.
You may also make a complaint to your supervisory body for data protection matters (the Information Commissioner's Office in the UK) or seek a remedy through local courts if you believe your rights have been breached.
If you have any complaints, questions and suggestions about our sites or services, please contact us using our contact form.