Company: The Park Hotel Diss Limited
Company Number: 16678985
Registered Address: 27 Old Gloucester Street, London, WC1N 3AX
Hotel Address: The Park Hotel, Diss, IP22 4LE
Telephone: 01379 642 244 | Email: info@parkhoteldiss.co.uk
Governing Law: England and Wales | Last Updated: October 2025

1. Introduction
This Policy explains how The Park Hotel Diss Limited (“the Hotel”, “we”, “us”, “our”)
collects, uses, stores, and protects personal data in compliance with the UK General
Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
It applies to guests, visitors, suppliers, contractors, staff, and users of our website.
By using our services, staying with us, or communicating with us, you acknowledge that
your information will be processed in accordance with this Policy.

2. Purpose and Scope
The purpose of this Policy is to explain what personal data we collect, how and why we
process it, the legal grounds for doing so, who we share it with, and the rights you have
under data-protection law.
It covers all personal data handled by the Hotel whether stored electronically or on paper.

3. Definitions
For the purposes of this Policy:
• Personal Data means any information relating to an identified or identifiable
individual.
• Processing means any operation performed on personal data such as collection,
storage, use, or disclosure.
• Controller refers to the person or organisation that determines the purposes and
means of processing.
• Processor is any party acting on behalf of the Controller.
• Data Subject means the individual to whom the data relate.
• Special Category Data includes sensitive information such as health, religious
beliefs, or ethnic origin.
• Data Breach means any incident that leads to accidental or unlawful destruction,
loss, alteration, or unauthorised access to personal data.

4. Categories of Data Collected
We may collect and process identity and contact details (such as name, address, email,
and telephone number); booking information (including dates of stay, room preferences,
and payment status); financial data (where required for billing); technical data from
devices used to access our Wi-Fi or website; CCTV footage for security and safety;
marketing preferences and communication history; and employment or supplier
information relevant to our operations.

5. Lawful Basis for Processing
We process personal data only where a lawful basis applies. These bases include:
• The performance of a contract (for example, managing your booking or processing a
payment).
• Compliance with a legal obligation (such as record-keeping for tax purposes).
• Our legitimate interests (such as maintaining security through CCTV or Wi-Fi
logging).
• Vital interests (for example, in a medical emergency).
• Your consent (for marketing communications or optional data collection).
Special Category Data is handled only with your explicit consent or where necessary to
protect vital interests.

6. How Data Flows Through Our Business
When you book a room or event, data are collected through our website, telephone
enquiries, or partner platforms such as Booking.com and Expedia. The information is
stored securely within our Property Management System (PMS) hosted in the UK or EEA.
Payment information is transmitted via encrypted gateways such as Stripe and SumUp.
Confirmation and follow-up emails are sent through our secure servers or through
Mailchimp where you have opted in to marketing.
CCTV and Wi-Fi systems record limited technical data for safety and connectivity. After
departure, records are archived and retained only as outlined in our data retention
schedule.

7. How We Use Personal Information
Your information is used to administer bookings, manage payments, communicate with
you before and after your stay, organise events, ensure security, meet legal and accounting
requirements, train staff, improve our services, and maintain accurate records for auditing
and insurance purposes.

8. Special Category and Sensitive Information
We may collect limited details about health or dietary needs to provide a safe and suitable
service. This information is collected only with explicit consent, stored securely, accessed
only by authorised staff, and deleted as soon as it is no longer required.

9. Security Measures
We apply appropriate technical and organisational measures to protect data, including
encrypted servers and backups, firewalls, secure passwords, multifactor authentication,
restricted access on a need-to-know basis, locked offices, CCTV coverage of data
handling areas, and regular staff training in data protection. All staff and contractors are
bound by confidentiality agreements.

10. Data Retention
Personal data is retained only for as long as necessary to meet its original purpose or legal
requirements. Guest records and billing details are kept for seven years to satisfy tax and
accounting laws. Event contracts are kept for seven years for insurance and audit
purposes. CCTV footage is retained for approximately thirty days unless required for an
investigation. Wi-Fi connection logs are held for twelve months. Marketing data is kept until
you withdraw consent or after two years of inactivity. Employee and payroll records are
stored for the duration of employment plus six years.

11. Data Sharing with Third Parties
We do not sell or rent personal information. However, we share limited data with trusted
partners who help us deliver our services. These include booking platforms such as
Booking.com and Expedia; payment providers such as Stripe and SumUp; marketing
providers such as Mailchimp; analytics services including Google Analytics and Meta
(Facebook) Pixel; and secure cloud storage providers such as AWS and Google Cloud. All
partners are contractually bound to handle data in accordance with the UK GDPR and are
not permitted to use the data for their own purposes.

12. International Data Transfers
Where data is processed outside the UK or EEA (for example by Mailchimp or Google), we
use approved safeguards such as Standard Contractual Clauses or adequacy decisions to
ensure your data remains protected.

13. CCTV and Surveillance
CCTV is used in public areas of the Hotel to protect guests, staff, and property. Images
may be shared with law enforcement when required. Footage is stored securely and
automatically deleted after approximately thirty days unless needed for an investigation.
Clear signs are displayed around the premises to notify visitors that CCTV is in operation.
14. Guest Wi-Fi
Free Wi-Fi is provided for guests. Connection logs record device identifiers and connection
times to maintain network security and assist with legal investigations if necessary. Any
illegal use of the network is prohibited and may be reported to the authorities. Connection
logs are deleted after twelve months.

15. Cookies and Online Tracking
Our website uses essential cookies for functionality and optional cookies for analytics and
marketing. Examples include cookies from Google Analytics and Facebook Pixel to
measure traffic and advertising performance. Non-essential cookies are loaded only after
you give consent through the cookie banner. You can disable cookies at any time via your
browser settings. Our use of cookies complies with the Privacy and Electronic

Communications Regulations (PECR).

 
16. Marketing and Communications
Marketing emails and promotional offers are sent only if you have explicitly opted in. You
may withdraw consent at any time by clicking “unsubscribe” in our emails or contacting
info@parkhoteldiss.co.uk. Service-related messages such as booking confirmations are
transactional and do not require consent. We never sell or exchange contact lists.

 
17. Employee and Supplier Information
We process personal data of employees and contractors for employment and legal
purposes including payroll, tax, training, and safety compliance. Data is shared only with
authorised third parties such as HMRC, pension providers, and auditors. Records are
securely destroyed six years after employment or contract ends.

18. Data Subject Rights
Under the UK General Data Protection Regulation (Articles 12–23), individuals have the
following rights:
• Right of Access: To obtain confirmation as to whether we hold your data and to
receive a copy of that data.
• Right to Rectification: To correct inaccurate or incomplete information we hold
about you.
• Right to Erasure: To request the deletion of your data where it is no longer
necessary for the purposes collected or where consent is withdrawn.
• Right to Restrict Processing: To ask us to suspend the processing of your data
under certain conditions.
• Right to Data Portability: To receive your personal data in a structured, commonly
used, and machine-readable format, and to transfer it to another controller.
• Right to Object: To object to processing carried out for our legitimate interests or
for direct marketing purposes.
• Rights related to Automated Decision-Making: To object to any decision made
solely by automated means that significantly affects you.
Requests to exercise these rights should be made in writing to the Data Protection
Manager at The Park Hotel Diss Limited, 27 Old Gloucester Street, London, WC1N 3AX, or
by email to info@parkhoteldiss.co.uk.
We will verify your identity before responding and will reply within one month of receiving
your request. If the matter is complex, this period may be extended by up to two additional
months.

19. Automated Processing and Profiling
The Hotel does not make any decisions that produce legal or similarly significant effects
based solely on automated processing.
We may use limited analytics and marketing tools, such as Mailchimp and Google
Analytics, to improve our services or marketing relevance, but these processes do not
affect guest rights, access to services, or pricing.

20. Data Breach Procedure
A data breach is any event leading to the accidental or unlawful loss, alteration, or
unauthorised disclosure of personal data.
The Hotel follows a formal Data Breach Response Plan which includes:
1. Identification and Containment: Immediate action to isolate affected systems and
prevent further data loss.
2. Assessment: Determining the scope of the breach, the type of data involved, and
the potential risks to individuals.
3. Notification: Informing affected individuals promptly if a significant risk to their
rights and freedoms is identified.
4. Mitigation: Implementing corrective actions to prevent recurrence and limit impact.
5. Documentation: Logging all breaches, including those not required to be reported
externally.
The Hotel will cooperate fully with law enforcement or other authorised bodies where
required.

21. Accountability and Governance
The management of The Park Hotel Diss Limited is responsible for ensuring compliance
with the data protection principles set out in Article 5(2) of the UK GDPR.
We have appointed a Data Protection Manager responsible for oversight of compliance,
training, and audits.
Governance measures include maintaining documented Records of Processing Activities,
annual staff training and policy refreshers, regular data audits, and written Data Processing
Agreements with all suppliers and partners handling personal information on our behalf.
Evidence of compliance is retained for audit and insurance purposes.

22. Complaints
If you believe that your personal data has been mishandled or processed unlawfully,
please contact our Data Protection Manager in the first instance at
info@parkhoteldiss.co.uk.
All complaints will be acknowledged within seven working days and investigated
thoroughly. We aim to provide a full written response within thirty days.
If you remain dissatisfied after our internal review, you may seek independent legal advice
or mediation.

23. External Links and Third-Party Websites
Our website may contain links to external websites, such as Booking.com or local tourism
partners. These sites are operated independently and have their own privacy policies.
We are not responsible for the content, accuracy, or privacy practices of third-party
websites and encourage users to review their terms before submitting any personal data.

24. Policy Review and Updates
This Policy is reviewed annually or whenever there are significant changes in data
protection law or in our business operations.
Updated versions will be published on our website and made available at reception upon
request.
The current version always supersedes any previous edition.

25. Staff Training and Compliance
All staff receive data protection training during induction and refresher sessions are held at
least once per year.
Training covers confidentiality, secure handling of data, and recognising and reporting
data breaches.
Records of staff training are maintained for compliance monitoring.
26. Version Control
This Policy is version 1.0, issued in October 2025 by The Park Hotel Diss Limited
Management.
Subsequent updates will be numbered sequentially and recorded in our internal
compliance log.

27. Disclaimer and Contact Details
This document is provided for information and transparency purposes and may be updated
periodically to reflect new laws or operational practices.
Guests are encouraged to read the most recent version on our website or request a
printed copy from reception.
Contact Information:
The Data Protection Manager
The Park Hotel Diss Limited
27 Old Gloucester Street, London, WC1N 3AX
Hotel: The Park Hotel, Diss, IP22 4LE
Email: info@parkhoteldiss.co.uk | Telephone: 01379 642244
Footer (to add to all pages in Word):
The Park Hotel Diss – Privacy & Data Protection Policy | October 2025