Privacy Policy of bluebaytravel.co.uk

This Website collects some Personal Data from its Users.

Personal Data collected for the following purposes and using the following services:

    • Analytics

      • Google Analytics with anonymized IP and Facebook Ads conversion tracking (Facebook pixel)

        Personal Data: Cookies; Usage Data

    • Content commenting

      • Facebook Comments

        Personal Data: Cookies; Usage Data

      • Disqus

        Personal Data: Cookies; Usage Data; various types of Data as specified in the privacy policy of the service

    • Displaying content from external platforms

      • Google Fonts and Adobe Fonts

        Personal Data: Usage Data; various types of Data as specified in the privacy policy of the service

    • Heat mapping and session recording

      • Hotjar Heat Maps & Recordings

        Personal Data: Cookies; Usage Data; various types of Data as specified in the privacy policy of the service

    • Hosting and backend infrastructure

      • Cloudinary and DigitalOcean

        Personal Data: various types of Data as specified in the privacy policy of the service

    • Interaction with external social networks and platforms

      • Twitter Tweet button and social widgets, Facebook Like button and social widgets and Google+ +1 button and social widgets

        Personal Data: Cookies; Usage Data

    • Interaction with live chat platforms

      • Crisp Widget

        Personal Data: Cookies; Data communicated while using the service; Usage Data; various types of Data as specified in the privacy policy of the service

    • Managing contacts and sending messages

      • SparkPost

        Personal Data: email address; various types of Data as specified in the privacy policy of the service

    • Platform services and hosting

      • WordPress.com

        Personal Data: various types of Data as specified in the privacy policy of the service

    • Remarketing and behavioral targeting

      • Google Ads Remarketing and Facebook Remarketing

        Personal Data: Cookies; Usage Data

    • Tag Management

      • Google Tag Manager

        Personal Data: Cookies; Usage Data

    • Traffic optimization and distribution

      • Cloudflare

        Personal Data: Cookies; various types of Data as specified in the privacy policy of the service

Further information about Personal Data

    • ResponseIQ

      Response IQ Ltd Privacy Policy
      Last updated: April 24, 2018

      The https://responseiq.com/ website (the “Website”) is operated by Response IQ Ltd, company registration number 09951115 and the registered office of which is at Rocketspace, 40 Islington High St, London, United Kingdom, N1 8XB (“We”, “Us” or “ResponseIQ”).
      We take your privacy very seriously and we ask that you read this Privacy Policy carefully as it contains important information on:

      - the personal information we collect about you,
      - what we do with your information, and
      - who your information might be shared with.

      Who we are
      ResponseIQ are a “data controller” for the purposes of the General Data Protection Regulation EU 2016/679 (the “GDPR”), (i.e. we are responsible for, and control the processing of, your personal information).

      What information we collect?

      Personal information provided by you
      We may collect personal information about you (such as your name, address, telephone number, payment card details etc.) when you use our Website, register with us or purchase services from us. We may also collect personal information when you contact us, send us feedback or post material to the Website.
      We may also collect information that your browser sends us whenever you visit our Website. This data may include information such as your computer’s IP address, browser type, browser version, the pages of our Website that you visit and other statistics relating to your use of the Website. This information may be collected in conjunction with third party services such as Google Analytics.

      Personal information provided by third parties
      The nature of the Services we offer means that we may receive information about you from a third-party source, such as one of our clients. We will only accept that information if we have evidence that you have consented for the personal information to be passed to us or it is passed pursuant to another legal basis under the GDPR.
      Personal information about other individuals
      If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can:

      - give consent on his/her behalf to the processing of his/her personal data;
      - receive on his/her behalf any data protection notices; and
      - give consent to the transfer of his/her personal data abroad.

      Sensitive personal information
      It is very unlikely that we will ask you to provide sensitive personal information. If we request such information, we will explain why we are requesting it and how we intend to use it.

      Sensitive personal information includes information relating to your ethnic origin, your political opinions, your religious beliefs, whether you belong to a trade union, your physical or mental health or condition, your sexual life, and whether you have committed a criminal offence.

      We will only collect your sensitive personal information with your explicit consent.

      Monitoring and recording communications
      We may monitor and record communications with you (such as telephone conversations and emails) for the purpose of performing the Services we offer to our clients, quality assurance, training, fraud prevention and regulatory compliance.

      Use of cookies
      A cookie is a small text file which is placed onto your computer (or other electronic device) when you access our Website. We use cookies on this Website to:

      - keep track of any services you may wish to purchase;
      - recognise you whenever you visit this Website (this speeds up your access to the Website as you do not have to log in each time);
      - obtain information about your preferences, online movements and use of the internet;
      - carry out research and statistical analysis to help improve our content and services and to help us better understand our visitor and customer requirements and interests;
      - target our marketing and advertising campaigns more effectively by providing interest-based advertisements that are personalised to your interests; and
      - make your online experience more efficient and enjoyable.

      The information we obtain from our use of cookies will not usually contain your personal data. Although we may obtain information about your computer or other electronic device such as your IP address, your browser and/or other internet log information, this will not usually identify you personally. In certain circumstances we may collect personal information about you—but only where you voluntarily provide it (e.g. by completing an online form) or where you purchase services from us.
      In most cases we will need your consent in order to use cookies on this Website. The exception is where the cookie is essential in order for us to provide you with a service you have requested (e.g. to enable you to purchase services from us).
      There is a notice on our home page which describes how we use cookies and which also provides a link to this Privacy Policy. If you use our Website after this notification has been displayed to you, we will assume that you consent to our use of cookies for the purposes described in this Privacy Policy.
      We may work with third party suppliers who may also set cookies on our Website. These third-party suppliers are responsible for the cookies they set on our Website. If you want further information, please go to the website of the relevant third party.
      If you do not want to accept cookies, you can change your browser settings so that cookies are not accepted. If you do this, please be aware that you may lose some of the functionality of this Website. For further information about cookies and how to disable them please go to the Information Commissioner’s webpage on cookies: https://ico.org.uk/for-the-public/online/cookies/.

      How will we use the information about you?
      We collect information about you so that we can:

      - identify you and manage any accounts you hold with us;
      - process your order or carry out obligations arising from any contract(s) entered into between you and us;
      - conduct research, statistical analysis and behavioural analysis;
      - carry out customer profiling and analyse your purchasing preferences;
      - if you agree, let you know about other products or services that may be of interest to you—see ‘Marketing’ section below;
      - detect and prevent fraud;
      - customise our Website and its content to your particular preferences;
      - notify you of any changes to our Website or to our services that may affect you;
      - carry out security vetting; and
      - improve our services and notify you about changes to these services.

      Marketing
      Only where you have provided us with specific, informed and unambiguous consent shall we provide you with marketing materials by the mechanism(s) you have consented to (e.g. email). We will only provide you with marketing materials relating to features that you have explicitly consented to.

      If you have consented to such receive marketing from us, you can opt out at any time. See ‘What rights do you have?’ below for further information.

      Who your information might be shared with

      We may disclose your personal data to:

      - our clients as part of the service offered, but only with your explicit consent or pursuant to another legal basis under the GDPR;
      - our service providers pursuant to strict data processing agreements that protect your personal data to the same or higher standards than we treat it;
      - law enforcement agencies in connection with any investigation to help prevent unlawful activity; and
      - a court of law or regulator where we are under a duty to disclose or share your personal data in order to comply with a legal or regulatory obligation.

      Rest assured that we will never pass your information to a third party outside of the categories above without your explicit consent.

      Keeping your data secure
      We will use technical and organisational measures to safeguard your personal data, for example:

      - access to your account is controlled by a password and username that are unique to you;
      - we store your personal data on secure servers; and
      - payment details are encrypted using SSL technology (typically you will see a lock icon or green address bar (or both) in your browser when we use this technology).

      While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that are transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us (see ‘How can you contact us?’ below).

      Our Website may contain links to other websites of our partners, suppliers, advertisers or other approved third parties. If you follow a link to any of these websites, please note that these websites have (or should have) their own privacy policies. We do not accept any responsibility or liability for these policies or the way in which your personal data may be treated by these third parties. We recommend you check the privacy policy of any third party before you submit any personal data to their website.

      Transfers of your information out of the EEA

      We may need to transfer your personal data to countries which are located outside the European Economic Area (“EEA”), for the purpose of providing the services to you. You may be located in a country outside of the EEA and therefore we may have no choice but to transfer your data outside of the EEA. Rest assured that any transfer of your personal data outside of the EEA will be subject to a GDPR-compliant guarantee (such as the EU-US Privacy Shield or a Model Contract Clause approved by the European Commission) that will safeguard your privacy rights and give you remedies in the unlikely event of a security breach.

      How long do we hold your data for?
      We only keep your personal data as long as necessary for the purpose for which it was obtained. After that period, we either: (1) anonymise the data if we still wish to use it for analytical purposes, or (2) pseudonymise the data if believe in good faith that we may need to process the data in the future for a legitimate purpose, or in all other cases (3) delete it completely from our servers.

      What rights do you have?

      Right to request a copy of your information
      You can request a copy of your information which we hold (this is known as a subject access request). If you would like a copy of some or it, please:

      - email, call or write to us (see ‘How can you contact us?’ below),
      - let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill will suffice), and
      - let us know the information you want a copy of, including any account or reference numbers, if you have them.

      We will acknowledge receipt of your request and will respond within thirty (30) days. We will not charge you for providing the information.


      Right to correct any mistakes in your information
      You can require us to correct any mistakes in your information which we hold free of charge. If you would like to do this, please:

      - email, call or write to us (see ‘How can you contact us?’ below),
      - let us have enough information to identify you (e.g. account number, user name, registration details), and
      - let us know the information that is incorrect and what it should be replaced with.

      We will acknowledge receipt of your request and will respond within thirty (30) days.


      Right to ask us to stop contacting you with direct marketing
      You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:

      - email, call or write to us (see ‘How can you contact us?’ below). You can also click on the ‘unsubscribe’ button at the bottom of marketing emails from us,
      - let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill will suffice), and
      - let us know what method of contact you are not happy with if you are unhappy with certain ways of contacting you only (for example, you may be happy for us to contact you by email but not by telephone).

      We will acknowledge receipt of your request and will respond within thirty (30) days.

      Right to erasure
      You can request that we delete all personal data relating to you free of charge. If you would like to do this, please:

      - email, call or write to us (see ‘How can you contact us?’ below), and
      - let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill will suffice), and
      - provide us with the justification for the erasure request (e.g. you are withdrawing your consent, you no longer believe that we should be processing the personal data for the original purpose for which it was obtained, the personal data is being unlawfully processed, there is a legal reason for erasure etc.).

      We will acknowledge receipt of your request and will respond within thirty (30) days.


      Right to Restrict Processing
      You can request that we restrict processing of some of your personal data. If you would like to do this, please:

      - email, call or write to us (see ‘How can you contact us?’ below), and
      - let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill will suffice), and
      - provide us with details of what personal data you would like us to restrict the processing of (e.g. where you contest the accuracy of some personal data, we shall restrict the processing of it whilst its accuracy is verified).

      We will acknowledge receipt of your request and will respond within thirty (30) days. If we agree to restrict the processing of the personal data before the thirty (30) day period, we will inform you as soon as we have put in place the restriction.


      Right to Object
      You can object to us processing any of your personal data. If you would like to do this, please:

      - email, call or write to us (see ‘How can you contact us?’ below), and
      - let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill will suffice), and
      - provide us with details of what personal data you object to us processing.

      We will acknowledge receipt of your request and will respond within thirty (30) days.


      Right to Data Portability
      You can request that be provide some or all of your personal data we hold to a third party free of charge. If you would like to do this, please:

      - email, call or write to us (see ‘How can you contact us?’ below),
      - let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill will suffice), and
      - provide us with sufficient details of the third-party entity to which you would like your data transferred.

      We will acknowledge receipt of your request and will provide your personal to the third-party entity in a commonly used machine-readable format within thirty (30) days providing you have provided us with sufficient information to do so. We will not charge you for this service.


      Rights relating to automated decision making and profiling

      We use software that automatically processes personal data for us. We ensure that processing using this software is fair and we implement all appropriate technical and organisational measures to ensure inaccuracies are minimised. If you are concerned about the use of such software, you have the right to ask for more details about the processing and request that we stop using the software to process your data. If you would like to do this, please:

      - email, call or write to us (see ‘How can you contact us?’ below),
      - let us have enough information to identify you (e.g. account number, user name, registration details), and
      - provide us with details of your concerns and the categories of personal data you believe are being processed by automated software.

      We will acknowledge receipt of your request and will respond within thirty (30) days. Please note that if the automated processing is necessary for the performance of a contract between you and us, if you request that the software is no longer used to process your data, we may not be able to provide you with services anymore.


      Right to complain to the supervisory authority
      If you are unhappy with the way in which we have dealt with a request you have made or you feel that we are not complying with this Privacy Policy in any way, you have the right to complain to the supervisory authority in the country in which you live. The supervisory authority in England and Wales is the Information Commissioners Office and details of how to contact them are available on their website: www.ico.org.uk.

      Time Extensions and Refusals
      We reserve the right to extend the time period to respond to any of the requests listed above by up to sixty (60) days where a request is complex or a large number of requests are made. If we fail to respond to you by the deadline we set, you have a right to complain to the supervisory authority or seek a judicial remedy (see – ‘Right to complain to the supervisory authority’ above).

      We may also refuse a request where there are legitimate reasons to do so. These include, but are not limited to:

      - where a request is manifestly unfounded, excessive or repetitive; or
      - where personal data is being processed:
      • in order to comply with a legal obligation;
      the public interest;
      • in the exercise or defence of a legal claim;
      • in the exercise of the right to freedom of expression and information.



      How to contact us

      Please contact us via help@responseiq.com or call +44 208 629 5280. Our Data Protection Officer is Scott Lee. If you have any questions about this Privacy Policy or the information we hold about you, we will be delighted to assist.

      Changes to this Privacy Policy
      We may change this Privacy Policy from time to time. You should check this policy occasionally to ensure you are aware of the most recent version that will apply each time you access this Website.

    • Pure360

      Pure360 Privacy Policy

      1. Introduction

      This Privacy Policy explains the way in which any personal information that we collect from you, or that you provide to us, will be processed by us when you visit our website at www.pure360.com (“Site”).

      The Site is operated by Pure360 (also referred to below as “we”, “us” or “our”). For further details about us, see the section Company details at the end of this Privacy Policy.

      We endeavour to take all due care to protect your personal information, in accordance with the applicable Data Protection legislation from time to time.

      For the purposes of Data Protection legislation, Pure360 is the data controller in respect of the personal information that we collect through the Website.

      2. Information we may collect from you when you visit the Site

      The personal information we collect when you visit the Site (“Information”) includes:

      your name, address, e-mail address and telephone number(s), and the company or other entity on whose behalf you are acting;
      records of emails and other correspondence (including any further information we may request from you) when you contact us to request information, report a problem, or provide feedback on our products and services;
      standard information automatically collected by our web server including your IP address, browser type, and operating system;
      details of your visits to our site, including access time.

      If you contact us to enquire about a job vacancy, we will collect details relevant to your enquiry and any subsequent application you may make, which will include your name, address, e-mail address and telephone number(s), CV and work experience, and (in certain cases) your personal circumstances. We will provide you with further details at the time.

      3. How we use your information

      We will only use the Information we collect as follows:

      to provide you with the information about our products and services that you request;
      for internal record keeping, billing, accounting and market research purposes;
      to respond to any queries, complaints or requests for further information;
      to improve the content of the Site;
      to customise the content and/or layout of the Site; and
      to provide you with marketing information about other products and services we supply that may be of interest to you.

      If you contact us to enquire about a job vacancy, we will only use your Information for that purpose.

      4. On what basis do we use your information?

      We will process the Information that you provide, or we collect from you, on the basis that it is necessary for our legitimate interests in promoting and marketing our products and services, and for the other purposes mentioned in paragraph 3 above, or (as appropriate) for providing you with information about job vacancies.

      Your Information will not be used for any other purpose, or disclosed to any third party, unless we are required to do so by law, or as mentioned in the next paragraph.

      For details about how we process our customers’ data when they use our products and services to our clients, please see our Licence Agreement, the standard form of which can be found on the Site.

      5. Who do we share your Information with?

      We may disclose your Information if we need to do so in order to comply with any legal or regulatory obligation or request, or where we have a legitimate interest in doing so, such as in order to enforce or apply a contract with you (or the organisation you represent), to investigate potential breaches, or to protect the rights, property or safety of Pure360 or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

      If another company acquires us or all or substantially all of our assets, that company will possess the same information and will assume the rights and obligations with respect to that information.

      Except as set out above, we will never sell, distribute or disclose any of your Information (except anonymous aggregate data) with any third party without your express consent.

      In order to provide some of our services, we may use the input of third party providers situated in countries outside Europe (such as the USA) that do not always have the same standards of Data Protection laws as the UK. However, we will ensure that contractual or other safeguards are in place to ensure that your information is adequately protected, and that enforceable rights and effective legal remedies are available for data subjects.

      6. How long do we keep personal information for?

      If you contact us with an enquiry but you do not (or the organisation you represent does not) enter into a contract with us, we will normally delete your personal data after [6 months]. If you order (or the organisation you represent orders) any of our products or services, we normally retain contract information (including related personal data) for 6 years after the end of the relevant contract, in case issues arise during or after the termination of the contract.

      If you contact us about a job vacancy, we will normally delete your personal data after 12 months, unless you become an employee of ours.

      7. Your rights as a data subject

      As a data subject you have certain legal rights including:

      the right to access the personal data held about you;
      the right to ask us not to process your personal data for marketing purposes;
      the right to withdraw at any time any consent you have given to receive marketing material from us;
      the right to ask us to rectify inaccurate personal data about you;
      the right to ask for the restriction of personal data concerning yourself that is inaccurate, unlawfully processed, or no longer required;
      the right to ask for the erasure of personal data concerning yourself where processing is no longer necessary, or the legitimate interests we have in processing your personal data are overridden by your interests, rights and freedoms as the data subject; and
      the right to make a complaint about to the supervisory authority (the Information Commissioner’s Office).

      8. Internet security

      We follow generally accepted industry standards to protect your Information from unauthorised use. However, as no data transmissions over the Internet can be guaranteed to be 100% secure, we cannot take responsibility for any unauthorised access or loss of personal information that is beyond our control.

      Please remember that other methods of Internet communication, such as emails and messages sent via a website, are not secure unless they are encrypted. We take no responsibility for any unauthorised access or loss of personal information that is beyond our control.

      9. Changes to this Privacy Policy and future developments

      We may revise this Privacy Policy from time to time. The most current version of this Privacy Policy will govern our use of information about you and will be located on this page. If we make material changes to this Privacy Policy then where appropriate we will notify you by email or by posting a notice on the Site prior to the effective date of the changes.

      10. How to Contact Us

      If you have any questions, comments or requests about the Site generally, please contact us by email to support@pure360.com.

      If you any questions, comments or requests regarding our use of your personal information, or wish to delete your personal information, please contact us by email to support@pure360.com or write to us at the following address: The Data Protection Manager, Pure360, Unit A-E, Level 3 South, New England House, Brighton, East Sussex, BN1 4GH, England

      11. Company details

      We are Purepromoter Limited, trading as Pure360, registered in England and Wales with company number 4266410. Our registered office is at Unit A-E, Level 3 South, New England House, Brighton, East Sussex, BN1 4GH, England.

    • Emarsys

      1. Preamble
      As part of a separate contract and/or on the basis of separate individual assignments (hereinafter collectively referred to as the “Main Contract”), Emarsys shall provide Blue Bay Travel with various marketing services, with particular emphasis on planning, implementing, and analysing email communication (hereinafter collectively referred to as “Services”). The Services are described in more detail in the Main Contract and in the descriptions of each respective Service.

      2. Subject Matter

      2.1. Processing of Personal Data
      This agreement (“Contract”) shall provide regulations for processing personal data which Emarsys processes on behalf of Client whilst the Services are being delivered (“Data”). Personal data means any information relating to an identified or identifiable natural person. The Data particularly include the names, e-mail addresses, and areas of interest of the recipients of Blue Bay Travel’s e-mail newsletters.

      3. Duties of Blue Bay Travel

      3.1. Client as controller
      Emarsys shall exclusively process the Data as part of, and for the purpose of, delivering Services for Blue Bay Travel and in accordance with Blue Bay Travel’s documented instructions. Emarsys shall process the personal data in no other way, and for no other purpose, unless required to do so by EU or EU Member State law to which Emarsys is subject; in such a case, Emarsys shall inform Blue Bay Travel of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

      3.2. Obligation to notify
      If in Blue Bay Travel’s area of accountability, Data which has been processed by Emarsys in accordance with this Contract becomes inadvertently known to unauthorized third parties, Blue Bay Travel shall inform Emarsys about this in due time to enable Emarsys to take necessary technical and organizational measures on its side.

      3.3. Obligation to indemnify
      If a third party (inclusive of public authorities) makes claim(s) against Emarsys and/or accuses Emarsys to be in breach of contract which is/are based on Blue Bay Travel’s breach of its duties, the following shall apply: Blue Bay Travel shall grant Emarsys indemnity against these claims, provide Emarsys with appropriate support for their legal defence, and indemnify Emarsys for the reasonable cost of the legal defence. The obligation to indemnify shall only be valid if Emarsys informs Blue Bay Travel of any asserted claims in writing and without undue delay, does not make a confession or any other similar statement to that effect, and allows Blue Bay Travel, at Blue Bay Travel’s own expense and as far as is procedurally possible, to conduct all legal and out of court proceedings regarding the claims.

      4. Duties of Emarsys

      4.1. Obligation to inform
      Emarsys shall immediately inform Blue Bay Travel if, in its opinion, an instruction given by Blue Bay Travel violates applicable provisions in relation to data protection. Emarsys shall be entitled to suspend the performance of said instruction until it is confirmed or modified by Blue Bay Travel. Emarsys is not under any obligation to carry out a legal review of the instructions. Blue Bay Travel remains the sole controller regarding the Data, and is responsible for the legality of the Data processing and protecting the rights of the data subjects. Blue Bay Travel shall inform the data subjects or obtain their consent with regards to the processing of Data where required.

      4.2. Obligation to Provide Support
      Emarsys shall, upon Blue Bay Travel’s request, adequately assist Blue Bay Travel in the event that Blue Bay Travel is only able to fulfil its obligations towards the data subjects (particularly the obligation to provide a data subject with details regarding the processing of his/her personal data) with Emarsys’s assistance. Emarsys shall forward to Blue Bay Travel data subject requests directed to Emarsys. Emarsys shall also, upon Blue Bay Travel’s request, assist Blue Bay Travel in ensuring its compliance regarding the security of personal data (security of processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject) as well as a potentially necessary data protection impact assessment and prior consultations, in each case taking into account the nature of processing and the information available to Emarsys.

      4.3. Rectifying, deleting, and blocking
      Should personal data need to be rectified, deleted, or blocked, Blue Bay Travel shall undertake this themselves by using the corresponding functions available in the software provided. If this is not possible, Emarsys shall take on the tasks of rectifying, deleting, and blocking, following the instructions from Blue Bay Travel. Item 7.2 applies to the deletion of the Data at the end of the contract term.

      4.4. Location of Data processing
      The Data shall be processed solely in the European Union (EU) and/or in the member states which are included in the agreement covering the European Economic Area (EEA), provided that Blue Bay Travel has not permitted Emarsys to process the Data in a country outside of the EU and the EEA in this Contract or in any other manner.

      4.5. Data protection officer
      Emarsys shall have a designated data protection officer. Emarsys shall provide its data protection officer’s contact details to Blue Bay Travel upon request.

      4.6. Confidentiality of the Data
      Emarsys shall familiarize its employees who are assigned with the task of processing personal data with the regulatory provisions of data protection, and shall commit them in writing to maintaining confidentiality and data secrecy. This obligation of secrecy especially applies to persons assigned with the task of processing data, and for data relating to legal bodies or an association, and shall continue to apply for Emarsys even after the employment is terminated.

      4.7. Obligation to notify
      If Client Data becomes known to unauthorized third parties in an unlawful manner, i.e. in breach of applicable data protection laws, this Contract, or instructions given by Blue Bay Travel, Emarsys must immediately inform Blue Bay Travel of this.

      4.8. Technical and organizational measures
      Taking into account the state of the technology, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of persons, Emarsys shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Furthermore, Emarsys shall take steps to ensure that any person acting under its authority who has access to the personal Data does not process it except on instructions from Blue Bay Travel, unless he or she is required to do so by EU or EU Member State law.

      4.8.1. Pseudonymisation And Encryption Of Personal Data
      Measures implemented my Emarsys which generally prevent unauthorized processing of personal data: data cannot be read, copied, altered, or removed without authorization during processing or utilization and after being saved (including encryption processes):

      4.8.1. Personal data are encrypted when transmitted.
      To the extent reasonably possible (without preventing the rendering of the agreed services) personal data are anonymized and/or pseudonymized by hashing or reference to a database whether personal data are stored.


      4.9. Obligation to indemnify
      If a third party (inclusive of public authorities) makes claim(s) against Blue Bay Travel and/or accuses Blue Bay Travel to be in breach of contract which is/are based on Emarsys’s breach of its duties, the following shall apply: Emarsys shall grant Blue Bay Travel indemnity against these claims, provide Blue Bay Travel with appropriate support for their legal defense, and indemnify Blue Bay Travel for the reasonable cost of the legal defence. The obligation to indemnify shall only be valid if Blue Bay Travel informs Emarsys of any asserted claims in writing and without undue delay, does not make a confession or any other similar statement to that effect, and allows Emarsys, at Emarsys’s own expense and as far as is procedurally possible, to conduct all legal and out of court proceedings regarding the claims.

      5. Blue Bay Travel’s right to carry out audits

      5.1. Certification
      Emarsys must use an information security management system that is certified according to ISO 27001 during the term of this Contract, and shall provide proof of same upon request.

      5.2. Audits
      To the extent required, Blue Bay Travel is permitted to audit (or to have another auditor, mandated by Blue Bay Travel, audit) Emarsys’s compliance with: a) the legal regulations in relation to data protection, b) the contractual agreements made by the parties and c) Blue Bay Travel’s instructions. Emarsys shall contribute to such audits and make available to Blue Bay Travel all information necessary to demonstrate its compliance. Blue Bay Travel must give at least two weeks written notice prior to carrying out audits at Emarsys’s business
      premises. The audits shall be carried out by Blue Bay Travel during the normal business hours, and without causing a significant disruption to business operations. Each party shall cover its own costs of, or in connection with, audits.

      5.3. Legitimate interests of Emarsys
      If by carrying out the audits Emarsys’s trade and business secrets may be revealed, or intellectual property belonging to Emarsys could be compromised, Blue Bay Travel must have the audits carried out by an independent specialist third party which is under the obligation to maintain confidentiality with respect to Emarsys.

      6. Subcontracting

      6.1. Engaging subcontractors
      Emarsys shall be authorized to engage subcontractors to process the Data if Emarsys enters into a written or electronic contract with the subcontractor regarding the processing of the Data, and the level of protection provided by said contract is equal or greater than that of this Contract, and Blue Bay Travel gives its prior written or electronic consent to engage the subcontractor. Emarsys shall inform Blue Bay Travel in writing or electronic form of any intended changes concerning the addition or replacement of subcontractors, thereby giving Blue Bay Travel the opportunity to object to such changes. Blue Bay Travel’s consent shall be deemed given if Blue Bay Travel does not object in writing or electronic form within one month after receipt of this information.

      6.2. Liability for subcontractors
      Where a subcontractor fails to fulfil its data protection obligations, Emarsys shall remain fully liable to Blue Bay Travel for the performance of that subcontractor's obligations.

      7. Terms of termination

      7.1. Data at the point of contract termination
      Emarsys shall delete Blue Bay Travel’s Data from its data storage media and destroy any relevant documentation it holds, 30 days after the Main Contract has ended, provided that Emarsys is not legally obliged to continue storing it. Blue Bay Travel shall be responsible for exporting the Data in a timely manner before the end of this period, and to save it for its own continued use. Blue Bay Travel shall separately commission and remunerate Emarsys for Data that is published or exported in such a way that is not covered by the services included in the standard functions (e.g. downloading files).

      7.2. Backup copies
      The above obligation to delete shall not apply to copies of the Data which are included in regularly created back-up copies of Emarsys’s comprehensive data sets, which would require Emarsys to invest significant resources to achieve an isolated deletion, and which will be automatically deleted or replaced after a maximum of 14 days as part of the back-up cycle that Emarsys applies. Until the automatic deletion or replacement occurs, any recovery or other use of such copies is prohibited after the termination of this Contract. Blue Bay Travel may request Emarsys delete such backup copies immediately if Blue Bay Travel reimburses Emarsys for the reasonable costs which are incurred by this; this also includes compensation for the incurred working hours of Emarsys’s personnel.

Contact information

    • Owner and Data Controller

      Blue Bay Travel Ltd, Unit A4 Bellringer Road, Trentham Business Quarter, Stoke on Trent, ST4 8GB

      Owner contact email: gdpr@bluebaytravel.co.uk