OUR PRIVACY POLICY

  

Rosecastle.com is a website domain specifically created to manage a single sign-on (SSO) and single point of privacy management when you engage with one or more Rose Castle activities delivered by either of:

Rose Castle Foundation (Charity No. 1159568) – the charitable activities of education, residential and workshop programmes focused on peace and reconciliation delivered across the UK and abroad.

Rose Castle Company (Company No. 10261035) – the hospitality of bedrooms, food and beverage, for those staying at the Castle for weddings, business meetings, special family celebrations, and special interest tourism.

Rose Castle Gardens – our volunteer gardens group, expected to be incorporated soon as a charity limited by guarantee that will focus on the renovation of Rose Castle Gardens and expand a garden volunteer programme

All of us involved in these different Rose Castle activities are committed to protecting and respecting your privacy. This privacy policy sets out how we collect, use and protect your personal information.

When you provide or we collect information by which you can be identified then it will only be used in accordance with this privacy policy and the General Data Protections Regulations (GDPR) 2018.

This policy explains
• Who we are
• What information we may collect about you
• How we may use this information
• How this information is stored
• Whether we disclose this information to anyone else
• Your choices regarding the information you provide to us

We may change this Privacy Policy from time to time to ensure that that it is up to date and in line with current legislation. If you would like to view the Privacy Policy please contact us. We deem that you accept changes to this Privacy Policy unless you notify us otherwise.
The current Privacy Policy was reviewed August 2019.


Who we are

We are collectively known as the Rose Castle Partnership whereby we work together to create a seamless digital and onsite experience for each person who interacts with Rose Castle. An individual may visit the Gardens, only to return subsequently to book and host a family celebration at Rose Castle. Another individual may attend a business meeting at the Castle, yet choose to become a regular donor to the peace and reconciliation work of Rose Castle Foundation. For each person, Rose Castle is the brand of this special haven we describe as the “space to re-imagine”. Hence rosecastle.com is a shared domain, much like many organisations might use facebook.com as a shared publishing platform.

Your private information is collected by the rosecastle.com domain under the oversight of the Rose Castle Partnership group, such that the following organisations are jointly and severally liable to you for collecting, storing and removing your information as you require or permission. These legal organisations listed immediately below are all Data Controllers of your information and rosecastle.com offers a single point of opt-in and opt-out for your convenience.


Rose Castle Foundation (RCF) – the charitable activities of education, residential and workshop programmes focused on peace and reconciliation delivered across the UK and abroad.

RCF Registered address: Rose Castle Foundation, Rose Castle, Dalston, Carlisle, Cumbria CA5 7BZ
Registered charity no: 1159568

For further information, visit: www.rosecastle.foundation


Rose Castle Company Limited (RCC) – the hospitality of bedrooms, food and beverage, for those staying at the Castle for weddings, business meetings, special family celebrations, and special interest tourism.

RCC Registered address: Rose Castle Company Limited, 34 High Street, Orwell, Royston, United Kingdom, SG8 5QN
Company Number: 10261035
For further information, visit: www.rosecastle.com/rcc/home

For the purpose of the General Data Protection Regulations 2018, the two Data Controllers (we or us) for rosecastle.com are the independent Rose Castle Foundation, and Rose Castle Company Limited who provides the hospitality for all stays at Rose Castle.


What we collect

We may collect the following information:
• names
• personal details – in relation to job applications/employment
• contact information including telephone number, postal address, email address
• demographic information such as area of interest e.g. events, volunteering opportunities or activities you are interested in and your personal contact preferences
• how you heard about us
• financial information such as credit/debit card or bank details so that we can process payments, payroll
• CCTV images or images which may give away information about you (e.g. Car number plate)
• other information relevant to bookings, delivery of a service, employment related, and/or relating to offers
• preferences you indicate via web forms on your choices of activities, services, needs and other factors relevant to your stay or programme

We only hold your ‘personal’ data when you provide it to us, e.g. when you register to stay with us, apply for a role with us, become an employee, when you use our website, when you subscribe to our communications, when you contract with us for a service and the data that we do hold is relative to your relationship with us. It will only include personal information that you have voluntarily provided to us (as above).

We also may receive personal information indirectly, in the following situations:
• A complainant refers to you in their complaint correspondence.
• From other regulators or law enforcement bodies.
• An employee of gives your contact details as an emergency contact or a referee.

 

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
• internal record keeping
• to respond to your request for a service – e.g. bookings
• to send you information relevant to your relationship with us – e.g. member, trustee, customer, delegate
• to invite you to stay, attend an event, or participate in training or educational programmes
• to fulfil a contract e.g. provision of accommodation
• to process payment
• to improve our products and services
• to ensure the security and safety of our premises and services
• to process an application/ manage your employment with us
• if you have requested information about new products, services special offers or other information which we think you may find interesting we may periodically send promotional emails using the email address which you have provided
• from time to time, we will also use your information to contact you for monitoring evaluation purposes. We are likely to contact you by email, but we may contact you by phone or post.

The information provided will be held in accordance with the General Data Protection Regulations and may be used by Rose Castle Company and/or Rose Castle Foundation to supply the services which you have requested and/or to ensure the protection of our premises and safety of our staff.

Where we have collected the personal information based on your consent and we have no other lawful basis to continue with that processing, if you subsequently withdraw your consent then we will stop processing that personal information and delete it. This will not affect the lawfulness of processing based on consent before its withdrawal.

We review the retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations (e.g. financial and contractual obligations and records). We will hold the information as long as is necessary for the relevant activity or as long as set out in any contract you hold with us.
We process personal data in accordance with the data protection principles.


Processing Data

How long we keep it
We only keep data for as long as it is required. You have the right to ask for your information to be removed from our records.


Where we store your personal data
In order to prevent unauthorised access or disclosure we have effective physical, electronic and managerial procedures to safeguard and secure the information we hold about you including online collection of data.

We keep information about you safe and secure by using electronic databases including Hubspot and Dropbox both of which are password protected systems, accessed only by staff who have been sufficiently trained and who are bound by our organisational policies and procedures. Paper copies are kept securely in locked drawers/cupboards.If you have provided information on paper, it may be transferred to an electronic database.
If we collect and retain information for payment, audit or employment purposes, it is stored securely. We do not store debit/credit card details and destroy or obscure these as soon as your payment is processed.
CCTV data is stored for 40 days in order to process any potential security or safety queries and then is automatically deleted from the computer hard drive.

All information you provide to us is stored on secure servers.

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.
If we do transfer information outside the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. To do this we will use one or more of these safeguards:
Only transfer it to a non-EEA country with privacy laws that give the same protection as the EEA as specified by the European Commission and which has been determined as adequate by the EEA;
Ensure that a contract with the recipient (data processor) is in place that means that they must protect it to the same standards as the EEA;
If transferring personal data to the US ensure that the organisation is part of Privacy Shield, which is a framework that sets privacy standards for data sent between the US and EU countries.


You can find out more about these safeguards on the European Commission Justice and ICO websites.


By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

 

 

RoseCastle.Com Website

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.


Links to other websites
Our website may contain links to and from other websites including some of our partners, affiliates and other websites of interest. However, please note that we do not have any control over that other website and therefore cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. They are not governed by this privacy policy and we do not accept any responsibility or liability for these sites and would advise that you check the privacy statements before submitting any personal data to these websites.

 

 

Cookies

It is possible that we may gather general information regarding your computer for our services. This collection of data is used for statistical analysis about our website for use by us.
Any information shared regarding your computer will not identify who you are, but rather be mathematical data about our visitors and their use on our site. The computer data does not give out any personal details.
Cookies, which are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognize you when you visit, may be used to gather this general internet data. When used, cookies are downloaded to your computer only when accepted by you and they gather information on browsing actions and patterns and do not identify you as an individual. This helps us improve our site and services to you.
All computers can block cookies by activating proper browser settings. There is a place to enable you to decline cookies when you visit our site. Please note if you decline cookies you may experience limited access to certain areas of our site.

Social Media
Rose Castle Foundation uses Facebook and Twitter for social media interactions. For details of their privacy policies: www.facebook.com/about/privacy ; www.twitter.com/privacy

Controlling and accessing your personal information
We never have and never will sell your data or share it with another company or charity for marketing purposes. We keep your data safe and will only share this when we are required to by law or we are using other companies’ services – for example Hubspot to circulate our email bulletins or compliance and regulatory bodies: HM Revenue & Customs (HMRC), police, local authorities, where they request it and we may lawfully disclose it, for example for the prevention and detection of crime.

Any company whose services we use in this way are required to treat your data as carefully as we do and use it only in the course of the work, they are doing for us.

Third parties who may provide an element of a service for us are classed as Data Processors. They will not share any data with any organisation other than us. They will hold it securely and retain it for the period instructed.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or unless we are required by law to do so. You may request details of personal information which we hold about you under the General Data Protection Regulations 2018. See Your rights.

Your rights

At any time, you may review or update the personally identifiable information that we hold about you, by contacting us at the address below. To better safeguard your information, we may also take reasonable steps to verify your identity before granting access or making corrections to your information.


Rectification: We want to make sure that the personal information we hold about you is accurate but if you believe that any information, we are holding on you may be incorrect or incomplete, please contact us as soon as possible (see Contact us). We will promptly correct any information found to be incorrect.

Access: You have the right to request a copy of the information we hold about you (Data Subject Access Request) and this can be submitted at any time. We will respond within one month of receiving this request in writing. Please contact us for full details.

Erasure: You also have the right to request the modification or erasure of your personal information (otherwise known as right to be forgotten). We will only decline to modify or erase your personal information in some cases in accordance with applicable national laws. To protect your right to be forgotten, all personal data not subject to a contract will either be anonymised or destroyed.

Restriction: You can limit the way we use your personal data if you are concerned about the accuracy of the data or how it is being used.
We do not make any decisions by automated processes.

Data Portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

If you wish to opt out of any communication/update your preferences please simply follow the instructions at the end of every communication from us or contact us (as below).

To update your information and/or to make changes to your preferences at any time, please contact us at privacy@rosecastle.com or call Rose Castle on 07855 308999.

If you would want to lodge a complaint about us, please contact the Information Commissioners Office on 0303 123 1113, email: dpo@ico.org.uk or visit: www.ico.org.uk

Contact us

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to Rose Castle Partnership:
• email reception@rosecastle.com or
• write to us at Rose Castle, Dalston, Carlisle, Cumbria CA5 7BZ


Appendix 1

Legal Basis for processing data:
Make an enquiry/contact:
6 (1) (b): The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract.

Attend an event/training/network:
6 (1) (a): The data subject has given his consent to the processing
9 (2) (a): the data subject has given his explicit consent to the processing of the personal data for one or more specified purposes (if dietary or access information is provided).

Subscribe to communications:
6 (1) (a):The data subject has given his consent to the processing

Make an information request:
6 (1) (c): The processing is necessary for compliance with any legal obligations to which the data controller is subject, other than an obligation imposed by contract

Enter into a service:
6 (1) (b): The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract
9 (2) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided).

Provision of a service (e.g. payroll):
6 (1) (c): The processing is necessary for compliance with any legal obligations to which the data controller is subject, other than an obligation imposed by contract

9 (2) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided)

Make a complaint:
6 (1) (d): The processing is necessary in order to protect the vital interests of the data subject
Emergency Contacts:
6 (1) (d): The processing is necessary in order to protect the vital interests of the data subject
Applications for role// Trustee:
6 (1) (b): The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract
9 (2) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided)

Employees:
6 (1) (f): The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject
DBS Checks (employees/volunteers)
The processing is necessary under the Law Enforcement Directive
9 (2) (b): processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law (if any special category data is provided).

Communicate with us as business:
• 6 (1) (c) suppliers, contractors, building management, IT services The processing is necessary for compliance with any legal obligations to which the data controller is subject, other than an obligation imposed by contract

• 6 (1) (f) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject