Policy Statement
Northumberland Estates (The Estates) collects and uses information about people with whom it communicates when conducting business and in the recruitment and management of its staff. This personal information must be dealt with properly and securely however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to ensure this in the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulations (GDPR).
The Estates regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals.
To this end The Estates fully endorses and adheres to the Principles of Data Protection, as set out in the DPA and GDPR.
Who we are
Northumberland Estates is a multi-faceted business based at Alnwick Castle in Northumberland, who operate a diverse portfolio of business streams; property investment, development and management, farming, forestry and tourism.
Northumberland Estates office is located at:
Estate Office, Alnwick Castle,
Alnwick,
Northumberland,
NE66 1N
If you have any questions regarding this policy or how we process Personal Data gathered through our business interests, please contact us using the details below:
Data Protection Administrator
The Estate Offices
Alnwick Castle
Northumberland
NE66 1NQ
+44 (0)1665 510777
dpo@northumberlandestates.co.uk
We are also registered with the Information Commissioner’s Office under registration number [ZA087068].
If you have a question regarding how we use your Personal Data, ask for the Data Protection Data Projection Administrator or address your communication to the "Data Protection Administrator
Changes to this Policy
The Estates reserve the right to change or update this policy at any time where it is necessary or appropriate to do so and shall notify all interested parties of these changes.
Definitions
The Estates. Northumberland Estates.
"Data" is information which is stored electronically, on a computer, or in certain paper-based filing systems. The Act is not restricted to information held on computers. Electronic data includes data kept on computer and other digital devices such as laptops, tablets, smartphones, mobile phones and digital cameras. Well ordered paper-based filing systems such as an HR filing cabinet, with employees listed alphabetically, will be covered by the Act.
"Data subjects" for the purpose of this policy includes all living individuals about whom we hold personal data. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal data.
"Personal data" is data about a living Individual who can be identified:
- from that data; or
- from that data and other information which is in the possession of or is likely to come into the possession of the data controller.
- Personal data includes any expression of opinion about an individual and any indication of the intentions of the data controller or any other person in respect of the individual. Note, the definition does not cover companies (although it does cover individuals within companies) nor does it cover information about the deceased.
- any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or
- indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"Data controllers" are the individuals or organisations which, determine the purposes for which, and the manner in which, personal data is processed. They have a responsibility to establish practices and policies in line with Data Protection legislation.
"Data processors" include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on behalf of Northumberland Estates.
“Data Subject” an identifiable natural person is one who can be identified, directly or indirectly
"Processing" is any activity that involves use of the data. You (and therefore we) will process personal data when you obtain, record or hold the data, or carry out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
"Sensitive personal data" includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life or about the commission of or proceedings for any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions and will usually require the express consent of the person concerned.
Data Protection Principles
Data users must comply with the data protection principles of good practice which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
To achieve this the Estates complies with the following Data Protection Principles defined in Article 5 of the GDPR, which states that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
- collected only for valid purposes that we have clearly explained to you and not used in a way that is incompatible with those purposes ('purpose limitation');
- adequate, relevant and limited to what is necessary in relation to the purposes we have told you about ('data minimisation');
- accurate and kept up to date ('accuracy');
- kept only as long as necessary for the purposes we have told you above ('storage limitation');
- kept securely, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
These principles apply to “personal data” which is information held on computer or in manual filing systems from which they are identifiable. The Estate’s employees, volunteers and trustees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.
The Estates take data protection very seriously and respect the privacy of visitors to the Alnwick Castle website. We are committed to protecting and respecting your privacy.
Collection and Processing of Personal Data
Personal data will be retained by the Estates only for as long as needed for processing or for as long as the requisite law requires. Once personal data is no longer needed it shall be destroyed in accordance with good data protection practice.
Should anyone at any time become aware of a data breach, they should immediately notify the Data Protection Administrator who will deal with the breach and manage any issues that follow as a result. Failure to notify us of a data protection breach within 24 hours of becoming aware of the breach or of suspecting a breach may result in disciplinary action under the Estates’ disciplinary policy and procedures.
In the course of recruitment and employment of individuals, the Estates will collect and process various data about the candidate including sensitive personal data in limited circumstances. This information will be retained for the duration of their employment. We will also retain some information after the end of their employment with us, for residual employment-related matters and to allow us to fulfil contractual and statutory obligations.
Our Obligations to you
Data protection legislation is intended to ensure that any and all data processing is done fairly and lawfully and does not adversely affect the individual.
The Estates will process your personal data in accordance with our legal obligations and good data protection practice.
The Estates will only process personal data relating to individuals for the purposes it was collected for.
The Estates will store personal data in a safe and secure manner and only people who need to see it as part of their job will have access to it.
The Estates will keep personal data up to date and will correct it if it is wrong.
The Estates will keep personal data only as long as is necessary for the purpose(s) it was collected for.
The Estates will avoid collecting sensitive personal data unless absolutely necessary. If we do collect it, and will take extra measures to ensure it is kept safe and secure.
How and why do we collect your data?
If you are employed or engaged by the Estates we may collect and use your personal information for the following most common reasons:
- Where we need to perform the contract we have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
We may also need to use your personal information where we need to protect your interests (or someone else’s) or where it is needed in the public interests (for official purposes). It is expected that these situations are likely to be rare.
Please note that we may process your personal information without your knowledge or consent where this is required or permitted by law.
For examples of data processing outside of the employment relationship and for your information only, we will collect and use personal information for the following reasons:
Purpose / Activity |
Information we collect |
Legal Basis for Processing |
I have booked tickets on the Alnwick Castle website |
Names, Address, Postcode, e-mail address, Banking Details |
Necessary for our legitimate interest to ensure we have a record of all visitors to Alnwick Castle and to ensure the safety of all visitors is maintained during visits to Alnwick Castle;
Necessary for the performance of a contract and to enable us to enforce any agreements entered into by us with visitors to Alnwick Castle; or
Necessary for our legitimate interest to resolve any disputes which may occur with visitors to Alnwick Castle |
I have booked an event / wedding at Alnwick Castle |
Names, Address, Postcode, e-mail address, Banking Details |
Necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Necessary in order to protect the vital interests of the data subject or of another natural person.
Necessary for compliance with a legal obligation to which the controller is subject. |
I currently receive or wish to receive comments and updates from Alnwick Castle |
Names, Address, Postcode, e-mail address |
We are required to process Personal Data received from you to enable us to fulfil our relationship management role and other business development following consent to process such Personal Data by the recipients of these communications.
On the basis of consent, specifically where we ask your consent to be able to use your data for a specific purpose such as to send you marketing materials about upcoming events at Alnwick Castle. |
I have browsed the Alnwick Castle website |
Each user’s number of visits, time of the first visit, the previous visit and the current visit
How long a visitor stays on the site: when a visit starts and ends
Where a visitor came from (search engine, search keyword, link)
Track visitor journeys through the site and classifies them into groups |
We may collect Personal Data as part of the cookie data we collect to enable us to analyse visits to our website which will help us to improve the overall content and user journey.
On the basis that it is necessary for our legitimate interests to improve our website and online content that we provide to our website users, prospective customers and customers. |
Who do we share information about you with?
The Estates may have to share your personal information with third parties, including third-party service providers and other entities within the Estates. We require third parties to respect the security of your data and treat it in accordance with the law. Examples of when we may share your personal information include:
- where you have consented for us to do so. For example, if you have consented to share your data with a third party in respect of an event or opportunity, we may pass your data on to the relevant third party for the purpose of administering such an event.
- to business partners, suppliers, sub-contractors and other third parties that we use in connection with the operation of our business for the purposes set out in the section ‘How and why do we your data’, such as:
- third-party service providers that we engage to provide IT systems and software, and to host our website;
- third-party service providers that we engage to organise events or provide marketing and advertising services.
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or
- to our professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- it is necessary in order for us to perform a contract between you and Northumberland Estates Limited;
- it is necessary in order for us to take measures to enter into a contract with you where you have requested us to do so;
- it is necessary for us to establish, exercise or defend legal claims
Security of Personal Data
The Estates will process personal data securely and ensure the confidentiality, integrity and availability of personal data.
The Estates have implemented a number of policies and procedures to provide guidance for its staff and contractors to help mitigate the risks involved in the processing personal data and have also implemented organisational, technical and physical security measures to protect personal data and all employees and contractors must take particular care to ensure that the processing of personal data is done in accordance with the instructions provided.
How is your information held?
We use reasonable and up to date security methods to keep your data secure and to prevent unauthorised or unlawful access to your information. All information you provide to us is stored in our secure systems.
How long do we store information about you for?
The period for which we will store Personal Data is based on our need to fulfil our legitimate operational needs, comply with applicable law, resolve disputes, and enforce our agreements. We will not keep your Personal Data for longer than is necessary for the purpose(s) for which we process it. This means that data will be destroyed or erased from our systems when it is no longer required. For guidance on how long certain data is likely to be kept before being destroyed, contact our Data Protection Administrator
Ensuring your Personal Data is accurate
We will keep the Personal Data we store about you accurate and up to date. We will take every reasonable step to erase or rectify inaccurate data without delay. Please notify us if your personal details change or if you become aware of any inaccuracies in the Personal Data we hold about you. We will contact you annually to check your details are still up-to-date. We will also contact you if we become aware of any event which is likely to result in a change to your Personal Data.
Only processing the personal information that we need to
Your Personal Data will only be processed to the extent that it is necessary for the specific purposes we tell you about.
Automated decision-making
We do not conduct automated decision making (including profiling) on the Personal Data we process and in particular we confirm we conduct no automated decision making on special category data or which has a legal or similar significant effect.
Transferring your Personal Data outside the European Economic Area
The personal data we collect from you may be transferred outside of the UK and the European Economic Area using legally-provided mechanisms to lawfully transfer data across borders.
We will take all steps necessary to ensure that your data is treated securely and in accordance with this Privacy Notice. We will also ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards, as required by law, are in place. This may include using specific contractual clauses approved by the European Commission which give personal data the same protection as it has in Europe.
More information about these is available here:
http://eur-lex.europa.eu/legalcontent/en/TXT/?uri=CELEX:32010D0087