Policies

Privacy policy

ITO is committed to protecting your privacy, and this Privacy Policy sets out the nature of the information we collect, how we collect it, and what happens to it.

Your information

This means facts such as your name, contact details, travel preferences and special needs/disabilities/ dietary requirements that you supply us or provide us, including any information about other persons on your booking (“your information”). Your information is collected when you request information from us, contact us (and vice versa) or book with us. You are responsible for ensuring that other party members know the content of our Privacy Policy and consent to your acting on their behalf in all your dealings with us. We will update your information as appropriate to ensure it is up-to-date and accurate.

Our Use of Your Information

We may disclose your information to our suppliers and service providers, who may be outside the Netherlands, so that we can provide you with your holiday services, transfers, etc. We disclose only information that is necessary for this purpose.

We may disclose your information to companies that carry out data processing services on our behalf, such as administration, business management, operations, research and analysis, marketing, monitoring, analysis, and other everyday business practices. If we search against the files of credit reference agencies, they will record the search, and hence, how you conduct your account with us may be shared with other lenders and credit agencies.

Some of the data we collect about you, such as health-related information, may be considered “sensitive personal data”. We collect it to cater to your needs or act in your interest, but we do so on the condition that we have your positive consent. By booking with us, you also agree for your insurers, their agents and medical staff to disclose relevant information (which may contain sensitive personal data) to us in circumstances where we need to act in the interest of everyone in the group you are travelling with. If you do not agree to our use of your information in the manner described above, we cannot accept your booking.

Direct Marketing Material

Occasionally, we may contact you by post, email or telephone with information on holidays and related services, brochures, offers, new products, forthcoming events or promotions.

When you first supply us with your information, you may indicate your preference to also receive our direct marketing material for the above purposes by telephone or e-communications (e-mail, SMS, or e-brochure) on our website(s) or forms or to our staff.

If you do not wish to receive such information or want to change your preference, please refer to point(2) of Your Rights” below.

Your Rights

You have the right to request in writing a copy of the information we hold about you and to correct any inaccuracies in your information by completing our Data Subject Access Request Form.

You have the right to ask in writing not to receive direct marketing material about our products and services. Once you properly notify us, we will take steps to stop using your information in this way.

Use of Cookies

If we contact and deal with you via our website(s), we may use “cookies,” which allow us to identify your computer but not you personally. A cookie is a small piece of data sent from our web server to your computer and stored in a text file on your hard drive, though you can set your web browser to refuse cookies. We use cookies to measure site usage and related information.

Links to other websites

If you are making a purchase or other process-led transaction, we may also use cookies to track the transaction from one web page to another. Our website(s) may contain links to sites we do not control.

These sites may send you cookies and collect data and personal information. We are not responsible for the actions, content or privacy policies of those websites to which our website(s) may link.

Aggregated Information

We may collect aggregate information about customer trends and patterns and disclose aggregate statistics about enquiries, visitors, customers, and sales to describe our services to prospective partners, purchasers, advertisers, and other reputable third parties for other lawful purposes. No personally identifying information is disclosed.

Monitoring

To ensure that we carry out our instructions accurately and to help improve our service, we may monitor and record telephone calls and customer transactions and activities on our website for security reasons. All recordings are and shall remain our sole property.

Changes to the Privacy Policy

We reserve the right to make changes to this Policy as required. Updates will be posted on our website. We will strive to ensure that our practices comply with the most current version of this Policy.

Critical Incident Response Plan (CIRP) Policy

Policy Statement

ITOtours is committed to ensuring our guests' and staff's safety, well-being, and operational integrity. Our Critical Incident Response Plan (CIRP) is designed to provide a structured and effective response to incidents that could impact our operations, reputation, or the communities we serve. This policy outlines our approach to preparing for, managing, and recovering from such incidents.

Scope

This policy applies to all employees, contractors, and partners involved in ITOtours operations and encompasses all services provided, including hotel allocations, transportation, and custom tour programs.

Objectives

  • To ensure a swift and effective response to any critical incident.
  • To minimise the impact of incidents on operations and stakeholders.
  • To safeguard the health and safety of guests and staff.
  • To maintain clear and effective communication with all stakeholders.
  • To facilitate a timely recovery and return to normal operations.

Identification of Critical Incidents

Critical incidents may include but are not limited to natural disasters, health crises, accidents, security threats, and significant operational failures. Each type of incident requires specific strategies outlined in our detailed response procedures.

Roles and Responsibilities

  • CIRP Coordinator: Oversees the implementation of the CIRP, coordinates the response efforts, and serves as the primary point of contact.
  • Communication Officer: Manages all internal and external communications.
  • Safety Officer: Ensures the implementation of safety protocols and first aid measures.
  • Recovery Officer: Coordinates efforts to return to normal operations post-incident.

Communication Plan

The Communication Officer will manage communications, including notifying affected parties, coordinating with external agencies, and handling media inquiries.

Response Procedures

Detailed response procedures will be developed for identified critical incidents, including evacuation plans, emergency contact numbers, coordination with local emergency services, and specific action steps for staff.

Review and Improvement

The CIRP will be reviewed annually or following a significant incident to incorporate lessons learned and emerging best practices.

Policy Approval and Implementation

The management of ITOtours approves this policy, and it is effective immediately. All staff must familiarise themselves with the CIRP and participate in related training and drills.

Electronic Data Destruction Policy

Purpose and Scope

This policy establishes guidelines for the secure destruction of electronic data to protect sensitive information from unauthorised access or exposure. It applies to all electronic media and devices owned by the company, including, but not limited to, computers, laptops, external hard drives, flash drives, and any electronic storage devices that contain or have ever contained company data.

Policy Statement

The company is committed to safeguarding personal and sensitive information from potential security threats by ensuring proper disposal. This involves implementing and maintaining a robust electronic data destruction process that adheres to legal and regulatory requirements and industry best practices.

Responsibilities

  • IT Department: To oversee and implement the data destruction process, ensuring all electronic data is irrecoverably erased.
  • Employees: To comply with all data handling and destruction procedures and ensure no unauthorised data destruction occurs.
  • Data Protection Officer: To ensure the policy complies with legal and regulatory requirements and to conduct regular audits of the data destruction process.

Methods of Destruction

The following methods are approved for the destruction of electronic data:

  • Electronic Shredding: Software-based methods to overwrite the data on storage devices multiple times, ensuring the data cannot be recovered.
  • Degaussing: Using a high-powered magnet to destroy the data on magnetic storage devices.
  • Physical Destruction: Physically destroying the storage device, making retrieving data impossible.

Procedure

  • Identification: Identify all devices and media that require data destruction.
  • Authorization: Obtain authorisation from the Data Protection Officer or a designated authority before data destruction.
  • Execution: Carry out the destruction using one approved method, ensuring the process is performed securely and effectively.
  • Documentation: Maintain a log of all data destruction activities, including details of the device/media destroyed, the method of destruction, the date, and the personnel involved.
  • Verification: Conduct random audits to ensure the effectiveness of the destruction methods and compliance with the policy.

Training and Awareness

All employees will receive training on this policy and its importance for data security. Regular updates and refresher courses will be provided to ensure ongoing compliance and awareness.

Policy Review and Update

This policy will be reviewed annually or more frequently to reflect changes in legal, regulatory, or business requirements. Any amendments will be communicated to all employees.

Compliance

Failure to comply with this policy may result in disciplinary action, including termination of employment, legal action, and financial penalties.

 

Vendor/Third-Party Risk Management Policy

Purpose and Scope

This policy establishes a standardised framework for managing and mitigating risks associated with third-party vendors and service providers. It applies to all departments and employees involved in selecting, engaging, and managing third-party entities across the organisation.

Policy Statement

The organisation is committed to ensuring that all third-party engagements are conducted to minimise risk to our operations, reputation, and compliance obligations. We will systematically assess, monitor, and manage third-party risks through the lifecycle of the vendor relationship.

Definitions

  • Third-Party Vendor: Any external organisation or individual that provides goods or services to the company.
  • Risk Management: Identifying, assessing, and controlling threats to an organisation's capital and earnings.

Roles and Responsibilities

  • Senior Management: Ensure the policy is aligned with the organisation's strategic goals.
  • Procurement Department: Lead the vendor selection process, ensuring all checks and balances are in place.
  • Risk Management Team: Conduct risk assessments, monitor vendor performance, and manage risk mitigation strategies.
  • Legal and Compliance: Ensure vendor agreements comply with applicable laws and regulations.
  • IT Department: Assess and manage technology-related risks from third-party vendors.

Vendor Selection Process

  • Pre-Assessment: Initial screening of vendors to ensure they meet the organisation's minimum requirements.
  • Risk Assessment: Detailed evaluation of potential risks associated with a vendor, including financial stability, cybersecurity measures, and compliance practices.
  • Selection Criteria: Vendors must meet criteria related to reputation, reliability, cost-effectiveness, and alignment with organisational values.

Vendor Risk Assessment and Monitoring

  • Continuous Monitoring: Regular reviews of vendor performance, risk exposure, and compliance with contractual obligations.
  • Risk Mitigation Strategies: Developing and implementing action plans to address identified risks.
  • Reporting and Documentation: Maintaining comprehensive records of risk assessments, monitoring activities, and mitigation measures.

Compliance and Legal Considerations

Ensuring all vendor agreements include provisions for compliance with relevant laws, regulations, and standards. This includes data protection, cybersecurity, and industry-specific requirements.

Training and Awareness

Providing training for employees involved in the vendor management process to ensure they understand the risks and procedures associated with third-party engagements.

Policy Review and Update

Regularly reviewing and updating the policy to reflect changes in the regulatory landscape, industry practices, and organisational priorities.

Enforcement

Failure to comply with this policy may result in disciplinary action, including termination of employment for individuals and vendor contracts.

Data Protection Policy for ITO Tours UK

Introduction

ITO Tours UK is committed to protecting the privacy and security of personal data. This Data Protection Policy outlines our practices and procedures for handling personal information in compliance with the UK's Data Protection Act 2018 and the General Data Protection Regulation (GDPR). We aim to process personal data respectfully, lawfully, and transparently.

Scope

This policy applies to all ITO Tours UK employees, contractors, and partners who have access to personal data collected by the organisation.

Principles

ITO Tours UK adheres to the following data protection principles:

  • Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly, and transparently.
  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in an incompatible manner.
  • Data minimisation: Only data necessary for the purposes it is processed is collected.
  • Accuracy: Every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified immediately.
  • Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary.
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.

Data Subject Rights

Individuals have the following rights regarding their data:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights about automated decision-making and profiling

Data Protection Measures

ITO Tours UK implements appropriate technical and organisational measures to ensure and demonstrate that this policy performs data processing. Measures include:

  • Data protection impact assessments
  • Integrating data protection into internal documents
  • Regularly training staff on data protection
  • Periodically testing the effectiveness of security practices

Data Breach Procedure

In the event of a data breach, ITO Tours UK will promptly evaluate the risk to individuals' rights and freedoms and report this breach to the appropriate supervisory authority within 72 hours, where feasible.

Policy Review and Update

This policy will be regularly reviewed and updated to ensure compliance with data protection laws and regulations.

Contact Information

For any inquiries regarding this policy or data protection practices, don't hesitate to get in touch with our Data Protection Officer (DPO)

Data Subject Access Request (DSAR) Policy

Purpose This policy outlines the process by which [ITOtours] ("we," "us," "our") handles Data Subject Access Requests (DSARs) from individuals ("data subjects") seeking access to their data processed by us, by the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Scope This policy applies to all personal data processed by [ITOtours], regardless of the format in which it is held. All employees and contractors of [Organization Name] must adhere to this policy when handling DSARs.

Identifying a DSAR: Any part of our organisation may receive a DSAR, which can be made verbally or in writing. However, a request must not be officially labelled as a DSAR to warrant a response under this policy.

Submitting a DSAR Data subjects may submit a DSAR to [Designated Contact Information, e.g., email, postal address]. Requests should include sufficient information to identify the requester (e.g., full name, contact details) and any specific data or processing activities to which the request relates.

Verification of Identity Upon receiving a DSAR, we will take reasonable steps to verify the requester's identity to ensure that personal data is not disclosed to unauthorised individuals. This may involve requesting additional information or documentation.

Processing a DSAR

  • Timeline: We aim to respond to DSARs within one month of receipt. Depending on the complexity and number of requests, this period may be extended by two more months.
  • Fees: Access requests are generally provided free of charge. However, we may charge a reasonable fee for additional copies if the request is unfounded or excessive.

Responding to a DSAR Our response will include the following information:

  • Confirmation of whether or not personal data concerning the data subject is being processed.
  • A copy of the personal data being processed, along with details of the processing purposes, categories of personal data, and recipients of the data.
  • Information on the data subject's rights includes the rights to rectification, erasure, restriction of processing, and object to processing.

Exemptions and Limitations Certain exemptions and limitations to a DSAR may apply under specific circumstances or legal requirements. If any such exemptions apply, the data subject will be informed accordingly.

Training and Awareness: All staff handling personal data will receive training on this policy and handling DSARs effectively and in compliance with our data protection obligations.

Policy Review and Updates This policy will be reviewed regularly and updated as necessary to ensure ongoing compliance with data protection laws and regulations.

 

Subscribe to our newsletter

Diese Website verwendet Cookies.

Wir verwenden Cookies, um Inhalte und Anzeigen zu personalisieren, Funktionen für soziale Medien bereitzustellen und unseren Datenverkehr zu analysieren. 

Wenn Sie auf unserer Website fortfahren, gehen wir davon aus, dass Sie damit einverstanden sind. Bitte lesen Sie unsere Datenschutzrichtlinie für weitere Informationen. Sie können jederzeit zu den Datenschutzrichtlinien am Ende der Website zurückkehren.

Zustimmen »