Contents
- 1. Who we are
- 2. Data collection and lawful bases
- 3. Categories of personal data
- 4. How we store your personal information
- 5. How long we keep your information
- 6. How we keep your information safe
- 7. Information about young people
- 8. CCTV
- 9. Competitions and giveaways data processing
- 10. Disclosing your information to other organisations
- 11. Opting out of cookies use
- 12. Your rights
- 13. Complaints
- 14. Roles and responsibilities
- 15. Sale of YHA hostels and data transfers
This Privacy Notice sets out the data processing carried out by YHA (England & Wales) (‘YHA’, ‘we’, ‘our’) on this website and more generally. The notice explains how we collect and use information about you, the rights you have with regard to the use of your data and how you can contact us to exercise your rights.
YHA will periodically review and may update this Privacy Notice so that it continues to reflect our current data processing activity.
Information about our use of cookies is available at www.yha.org.uk/our-policies/cookie-statement and additional information is included in section 9.
Our website terms and conditions can be viewed at www.yha.org.uk/our-policies/website-terms-conditions
A separate privacy notice for employees, applicants and volunteers is available at jobs.yha.org.uk/privacy-policy.
1. Who we are
YHA (England & Wales) is registered with the ICO (Z6434257).
You can contact us in the following ways:
- Email: [email protected]
- Call: 01629 592700
- Write: Data Protection Team, YHA (England & Wales), Trevelyan House, Dimple Road, Matlock, DE4 3YH
2. Data collection and lawful bases
Information from and about you will be collected by us in various ways and for particular purposes, including:
- When you book YHA provided or YHA Partner accommodation, directly, or via a third-party website
- When you check in at one of our properties
- When you join as a YHA member or create a website account
- When you consent to join any YHA mailing lists
- When you donate, buy raffle tickets, take part in fundraising events, or subscribe to our lottery
- When you volunteer with YHA
- When you contact us
- When you take part in surveys, events, and competitions
- When you review our hostels or provide feedback on our services
- When you use our website(s)
- When you interact with us through social media or email
- When you are involved in an accident or incident at one of our properties
We rely upon the following bases for our processing, as set out in the UK GDPR:
- Your consent, for marketing purposes, Art 6(1)a
- To deliver contracted services, such as accommodation bookings, Art 6(1)b
- To meet our legal obligations, Art 6(1)c
- Where it is in a person’s vital interest to do so, such as in a health and safety or safeguarding situation Art 6(1)d
- To pursue our legitimate interests, generally to understand our customer activity, improve our services, respond to enquiries, and maintain an exclusion register, Art 6(1)f
- Where we process Special Category data, except where noted, we do so with your consent, Art 9(2)a
3. Categories of personal data
We generally collect personal data directly from you, when you book, join YHA or contact us. If you are part of a group booking the person making the booking may provide your information to us. If you book via a third party, such as Booking.com, your booking information is shared with us by them and is used to administrate your booking.
The types of information collected includes:
- Name and contact information (address, email, and telephone number)
- Gender
- Date of birth
- Payment details
- Identification verification, such as your passport or ID card number.
- Health information, where necessary to facilitate your stay
- Names and personal information for other people associated with a booking – we assume that you have their permission to share this information
- Information relating to your online interaction with YHA, for example the pages you visit on our websites, your IP address, device, and browser type, as well as social media interactions
- Correspondence and complaints information
4. How we store your personal information
The data that we collect from you will be securely stored and processed in the UK and may be transferred to, processed, or stored at trusted third-party destinations including within the EEA, USA or worldwide.
Where your data is stored and processed by a third party we have contracts in place to ensure that the data is afforded the same protections as it would be if it were hosted in the UK and in line with the requirements of the current legislation.
5. How long we keep your information
We retain your personal information only for as long as it is needed for the purpose(s) it was collected. In some cases we must retain personal data in order to meet our legal obligations, such as retaining financial records for up to seven years.
When your information is no longer required we will securely dispose of it or may anonymise it.
We may indefinitely retain information about customers whose conduct has been anti-social or has breached our policies, for the purpose of restricting those customers’ future use of our services. This is in our legitimate interest.
6. How we keep your information safe
We follow industry standard security practices (including applying appropriate technical and organisational measures) in the processing, storage, and use of your personal information.
We apply a range of information security safeguards to keep your personal information secure, including but not restricted to the following:
- connections between internal systems and the internet are protected by firewalls
- data in transit is encrypted to industry standard
- access to systems and data is protected by user-id and password controls, and employees can only access the data they need in order to perform their job
- your payment card data is always encrypted
- offices and secure areas are protected with physical access controls
- we continually monitor our systems for vulnerabilities and signs of attack, apply patches and carry out penetration tests regularly to assess the strength of our defences
- we enforce physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal information; and
- we verify your identity before discussing your YHA bookings or processing data rights requests, to ensure we do not share your data with unauthorised people.
7. Information about young people
We encourage and welcome children and young people to use and stay at YHA hostels and we take due care when handling young peoples’ information, for example for our Summer Camps programme. However, our online bookings, membership, donation and purchasing services are intended for users aged 16 years and over, so please do not use these if you are under 16 years old.
If you provide information to us about children under the age of 16, then you are confirming that you are the parent or legal guardian, or that you have the consent of the parent or legal guardian to share that information.
8. CCTV
We use Closed Circuit Television (CCTV) at some of our properties, and you may be recorded when you visit them. We use CCTV in order to help protect YHA guests, employees, and visitors, and to protect YHA’s premises from criminal activities. We have a CCTV policy, which includes a defined retention period (30 days at most sites) and a process for managing requests for CCTV footage. We may share with police forces, upon request, for the purpose of investigating a crime.
9. Competitions and giveaways data processing
YHA occasionally runs competitions and giveaways awarding prizes to the winning entrant(s) (competitions) or entrant(s) selected at random (giveaways) and in order to allocate the prize we require you to provide your personal data. Some information is standard, such as your name and contact details and other data required will depend on the nature of the prize but this will be set out in the relevant terms and conditions, so you understand what data processing is necessary before entering the competition or giveaway.
We ask winners to participate in promotional activities, usually announcement of the winner(s) and receipt of the prize(s), this might be via social media posts, or in print and will generally include names and photographs of the winner(s) receiving or enjoying their prize(s).
Where we operate a competition or giveaway with partners and co-sponsors, we may share your contact data with them so they can provide any prizes directly to the winner(s).
We rely upon legitimate interest (GDPR Art 6(1)f) for processing of your personal data, and we do not anticipate processing any Special Category data for competitions or giveaways activity but would rely upon your consent for any such processing.
We will retain your data for a period of 7 years from the announcement of the winner(s) of any competition or prize, any publicity material may remain in circulation after this retention period.
10. Disclosing your information to other organisations
Some of our hostels are operated by organisations other than YHA (England & Wales) under contract. Where you make a booking or enquiry about those hostels, we will share your information on for the purpose of providing the services or information you have requested.
We may use trusted third parties to process your information on our behalf and when we do, appropriate data privacy contracts and clearly defined processing, storage and retention instructions will be in place. We will only transfer your personal information on the understanding that the third party has undertaken to us that they have in place adequate technical and organisational measures to protect that information.
We use Stripe [https://stripe.com/gb/privacy] to process card payments for Bookings and while we don't retain the full card details on our systems we have the facility to identify the card used and to use the same card details to process payment for the balance of a Booking. See our booking Terms and Conditions for details of how these payments are managed and when this facility might be used.
We may release your information to the police or other authorities where we are under a legal obligation to do so, or where doing so is in your vital interests.
We may engage with trusted third parties to analyse data about our customers, supporters, and website users in order to provide us with greater insight into customer and supporter behaviour for the purpose of informing future developments. Where practical this will not include identifiable data but may include pseudonymised data.
During the Covid Pandemic we shared hostel customer data with NHS contact tracing services and may do in the future where required by law.
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.
11. Opting out of cookies use
Our cookie notice sets out what cookies are used on the website and you are able to directly manage what cookies are set. When you visit the YHA website we ask you to confirm which cookies you consent to the use of, using our cookies manager, linked to from the Cookies Statement at www.yha.org.uk/our-policies/cookie-statement.
You can manage your cookie preferences any time you visit our website by selecting manage cookies.
Where you allow it, we use cookies for ‘microtargeting’ including the Meta Pixel, via Facebook Business Tools. Microtargeting works through the use of electronic tools including ‘Tracking Pixels’. These electronic tools typically track your browsing habits, likes and social interactions across the internet in order to build up a profile about you. This profile is used to tailor advertisements to your specific interests. Facebook Ireland is a Joint Controller of the Meta Pixel data used for this purpose; Facebook Ireland's Data Policy is available at www.facebook.com/about/privacy. Any data rights requests concerning the associated cookies data should be directed to Facebook Ireland.
The Information Commissioner’s Office provides privacy guidance to the public on use of various social media platforms (including Facebook) at ico.org.uk/media/your-data-matters/documents/2614882/ydm-facebook-factsheet.pdf.
12. Your rights
Under data protection law, you have rights over the use of your data, the rights available to you depend on our reason for processing your information. You can read more about your rights on the ICO website at ico.org.uk/your-data-matters. Where we rely upon your consent to process your personal data you have a right to withdraw that consent at any time and you should contact us to request this ([email protected]).
Your rights include:
- The right to be informed about our processing, which this notice does.
- The right of access to your data held by us, called a ‘Subject Access Request’
- The right to rectification of inaccurate data
- The right to request erasure of your data, in some circumstances, sometimes called the ‘right to be forgotten’
- The right to restrict our processing, in some circumstances
- The right to data portability, an accessible and machine-readable copy of your data
- The right to object to our processing, in some circumstances, but this always applies to direct marketing.
- Rights in relation to automated decision making and profiling, in some circumstances.
Requests should be sent to [email protected] but you can also call or write to us. Requests can be made at any time and there is no charge for making one. We have 30 days within which to respond to your request but we will process it without delay once your identity has been verified.
If you want to unsubscribe from YHA emails lists, you will find an unsubscribe link on the footer of our emails. A link is also provided to our email preference centre, which allows you to determine what kind of content you want to receive from us in the future.
13. Complaints
If you feel we have mishandled your data, please contact us with details so we can review and remedy the situation. You also have the right to contact the Information Commissioner’s Office (ICO) at ico.org.uk/global/contact-us/contact-us-public or by calling 0303 123 1113, but please give us the chance to rectify the situation first.
14. Roles and responsibilities
YHA is the sole Controller of its bookings data, except for bookings within the franchise network. This data is held on YHA owned and managed systems but the YHA Partner hostels are, individually, joint Controllers with YHA of this information. Any data rights requests or complaints related to jointly controlled data will be managed by YHA, but you can contact either party to submit your request,
The contract to provide accommodations is solely between the booker and the relevant YHA Partner hostel, YHA is acting as agent when processing YHA Partner hostel bookings made via the YHA website or call centre. Further detail is set out in the booking Terms and Conditions, www.yha.org.uk/our-policies/website-terms-conditions.
Complaints, incidents, accidents and safeguarding data, related to accommodation bookings is individually managed by the YHA Partner hostel, according to YHA policy and process. Where matters are escalated to YHA for investigation, the YHA Partner hostel and YHA are joint Controllers of this data. Otherwise YHA is a Processor where data is held on YHA systems and managed by the YHA Partner hostel as the Controller.
YHA Partner hostels and YHA hold separate marketing email lists but may share unsubscribe requests where the data subject sends a request to one party requesting removal from any YHA related marketing lists.
YHA Partner hostels are solely responsible for all other data processing necessary to operate the business, including employee and other contacts data processing, as set out in their individual privacy notices.
15. Sale of YHA hostels and data transfers
Where YHA hostels are sold to third parties not intending to join the YHA franchise network, but who will be honouring existing YHA bookings, data transfer between YHA and the buyer will be necessary. Otherwise prospective buyers receive aggregate customer data, which will not include any personal data.
Buyers honouring YHA bookings will receive guest bookings data in order to fulfil any hostel bookings made prior to the sale and occurring after the transfer of the hostel to the buyer. YHA relies upon Art 6(1)f, Legitimate Interest, for this data processing.