Data Protection Policy (GDPR Privacy Notice)
In accordance with the GDPR Regulations with effect 25th May 2018 we must declare details of how we collect, hold and use your personal data. All data held is collected fairly and for lawful purposes only. You as an individual also have personal data rights and we have an obligation to uphold these. The purpose of this policy is to outline how Ocean Turtle Diving Limited has established measures to protect your privacy and information rights.
INFORMATION WE MAY COLLECT
The personal data we collect may include names, home addresses, telephone numbers and email addresses, dates of birth and credit/debit card details. We may also collect names and telephone numbers of your next of kin.
LEGAL BASIS FOR PROCESSING/RETAINING DATA
Your data may be processed by employees of Ocean Turtle Diving Limited for the purposes of conducting business with you or responding to an enquiry. If you are a current customer we have a legal right to hold your data (for example HMRC require sales data, supplier product recalls, to identify diver certifications for HSE, keeping servicing records for legal compliance). When you are no longer a customer you have a legal right to ask us to forget you, however, we must retain some of the above details by law.
SECURING YOUR INFORMATION
All data is stored in our secure electronic system EVE/DIVESHOP 360 which is password protected and is compliant with data storage policies.
TRANSFER OF DATA
For sales, rentals and air fills, we NEVER pass any of your personal details to any third party. We use your email address in order that our POS system EVE / EVE Agent can send you an environmentally friendly email receipt for any purchases, servicing, rentals or course bookings made. This also acts as your proof of purchase. You will also receive emails through EVE Agent with reminders of servicing due, or notifications of service items or purchased items ready to collect, upcoming courses and trips and events you are entitled to attend as an Ocean Turtle club member (separate to OTD Club Lounge which is the subscription club). You can request to not receive any of these communications at any time by clicking the “unsubscribe” link within our emails, and you have always been able to do this.
For PADI courses and certification applications, in order to issue your PADI certifications, your identity information details is electronically passed to PADI through their online processing centre in order to issue your certification card or your identity and contact information is passed on in application forms submitted to PADI by email.
We have written confirmation from all our suppliers, including EVE/DIVESHOP 360 and PADI, that they are GDPR compliant.
For servicing, your name only is written on a tag attached to your service item. For non Scubapro or Apeks regs, or for cylinders or other equipment, these are only passed to trusted third parties who conduct the servicing for us.
We only hold debit/credit card details for you in two situations – OTD Club Lounge members who pay a monthly fee (these are held electronically in a fully encrypted system), and rental customers for the duration of the rental period. These are held in paper form, in a locked room secure file, and returned to the customer for safe destruction upon return of rental gear.
Our website only uses essential “cookies”.
We will hold your details, unless otherwise requested, for up to 20 years.
CONSENT AND CONTACT
You and your next of kin are explicitly giving consent to us processing and storing your data as outlined in the above policy by providing us with your email address personal information. You can opt out at any time by clicking the “unsubscribe” link within our emails, or by calling us on 01256 819595, emailing us at firstname.lastname@example.org or popping in to see us.
DATA BREACH OR MISUSE
You are entitled to ask us (by letter or email) what details of yours are being held and processed, for what purpose and to whom they may have been disclosed. If you believe that any of your personal data which we are processing is incorrect, if you have any concerns about the use of your data, or if you would like to report a suspected data breach or to submit a “request to be forgotten” please contact us immediately at email@example.com.