Introduction
This privacy policy tells you what to expect when Suite Hub Limited (“we”, “us”, “our”) collects personal information about you when you use www.suitehub.com, email us or phone us.
Suite Hub Limited is committed to protecting your personal information when you use Suite Hub services. Whenever you provide such information we will only use your information in line with all applicable data protection laws, including the General Data Protect Regulation (GDPR). Your information will be kept in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
About us
For the purposes of the Data Protection Act 1998 (“the Act”), and the General Data Protection Regulation (“GDPR”), the data controller is Suite Hub Limited (company number: 6293944) whose registered office is Queen Anne House, 25-27 Broadway, Maidenhead, Berks SL61LY.
Our privacy promise
We promise to collect, use and store your personal data in a safe and secure way.
We promise to only use your personal data for the specific purposes stated.
We promise to keep you informed about how we use your information and who we give it to.
Information we may collect from you
We only seek to gather information from you that we need in order to provide our services. This includes your full name, telephone number, email address and date of birth. We may also need to take the names of other guests, as long as they are over 18 years of age. We also ensure we take down details of your booking enquiry such as length of stay, accommodation type and the budget for your stay.
We collect some information from you when you visit our website, which are called cookies. It helps us improve our website and your overall experience. The information we collect includes your IP address, language settings and what browser you’re using.
Please note if someone is booking your accommodation on your behalf, we may collect your information from them directly, instead of from you. We’re pleased to advise that we never collect or store your payment information.
Why do we collect your information?
We only seek to gather information from you that we need in order to provide our services. Primarily, your information is used so that we can communicate with you and process your accommodation enquiry. We email you with accommodation options after you make an enquiry with us. We also like to speak to you on the phone about your requirements and help you make an informed choice. Although when placing a booking, this can be done yourself on our website, we may by email or phone contact you for the process of administering your booking.
Unless a booking proceeds, we will never share any of your information you provide us with anyone. Once a booking has been completed, we will keep your information for no longer than 6 years. This is also to comply with regulatory bodies such as Her Majesties Revenue & customs (HMRC).
We like to keep in touch with you with relevant marketing emails, letters and phone calls should you opt-in when making an enquiry on our website. These efforts include promotions, company and industry news, competitions and special offers.
How do we obtain your information?
Website: We take your information via our enquiry forms on our website, and also from our online booking form when you want to proceed with an option we have offered you.
Telephone: When you call us to make an accommodation enquiry, we will ask and collect the information that we need in order to process your enquiry and send you accommodation options.
Email: When you email us to make an accommodation enquiry, we will look for and collect the information that we need in order to process your enquiry and send you accommodation options.
Social Media: We may sometimes use your information in response to a social media campaign. For example, we may run a promotion or competition and if you winner may be contacted.
How do we contact you?
During the booking process: We will contact you by phone or email in order to provide you accommodation options, discuss and answer questions, arrange property viewings and then proceeding with your booking. We also like to contact either the booker or the guest staying in the property during their booking to ensure everything is satisfactory, to resolve any requests or problems, or to ask about any possible extensions to the booking or any future booking requirements.
Marketing: With your consent, we may contact you by email. Phone or letter to let you know about promotions, special offers, competitions or industry and company news.
Information we may may share with others
We share your information only so that we may process your booking. As a booking agent, once you confirm that you wish to proceed and book a particular property option, we will share your information with the Apartment Provider that operates that option. The information we share is your full name, email address, telephone number, other guest names (if over 18) and the number of guests.
Please note that we require all of our Apartment Providers to sign our provider terms and conditions which binds them to strict data privacy requirements. If your booked property resides outside of the EU, your information may be transferred to a country without the same data protection standards in place.
Please note we may share your information to others in the event that we sell our company, introduce, joint venture or purchase another business or company, or for when we may need to submit or defend a legal matter. We may also have to disclose your information to assist and comply with legal obligations.
Children’s personal data
We only require the names of those booking the apartment, and/or staying in the apartment as guests. To both book and stay in one of our properties, one has to be over 18. We will never ask for the names of any guests that are under the age of 18, but may require their ages for logistic reasons. For example, it helps us know how to set up beds, provide high chairs and cots if we know the ages of children.
How we store your information
The security of your personal data is very important to us. All information provided is secured and stored in our industry leading cloud based software systems, all of which require personal logins from our members of staff. We have made sure that only those that need to view your data for the purposes laid out in this privacy policy can view your data with the help of security roles and restrictions within our systems.
Your data rights
As a user of our services, in relation to the information we hold about you. you have rights as an individual which you can exercise.
You have a right to be informed in a clear, transparent and easily understandable way about how we use your personal information and about your rights. This is why we are providing you with the information in this policy. If you require further information about how we use your personal data, just let us know.
You can request access to your personal information by making a ‘Personal information request’. We can tell you what information we hold about you, why we are holding it and who it may be shared with. If it’s been shared, this will only have been with a property that you have made a reservation with. Further to this, you may request a full copy of the personal information we hold for you which we will send to you. You can do this by contacting us at any time.
If you notice that your data is inaccurate you can request for it to be rectified. Just send an email to enquiries@suitehub.com and we will make the relevant corrections.
You have the right to restrict the processing of your data. We only use your data to process your booking and if you request us to restrict any processing then this will take place after your booking and stay has been completed. Further to this, if you feel your data has been processed incorrectly or unfairly then you have the right to object to the processing of this data. You can do this by contacting us.
If you decide that you don’t want us to store your data anymore then you can request it to be deleted. Just contact us and we will delete all of your personal data. We will only retain your data if we’re under a legal obligation to do so or we need to keep it to establish, exercise or defend a legal claim, and you will always be informed in these scenarios.
If you think that we are using your information in a way which breaches data protection law, you have the right to lodge a complaint with your national data protection supervisory authority (if you are in the UK, this will be the ICO).
In the limited circumstances where we are relying on your consent (as opposed to the other bases set out above) to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another compelling legitimate interest in doing so.
How to contact us
Email: enquires@suitehub.com
Phone: +44 (0) 203 743 7474
Office Address: Suite Hub, Clyde House, Reform Road, Maidenhead, SL68BY, UK.
In common with other websites we use cookies to ensure that you get the most out of the site and to improve the service we offer. A cookie is a text file containing small amounts of information that are downloaded to your device when you access a website. The text file is then sent back to the server each time your browser requests a page from the server. This enables the web server to identify and track the web browser you are using. We only use necessary cookies that are used by the likes of Google Adwords and WordPress etc.
If you don’t want us to install cookies on your computer for these purposes, you can change the settings on your internet browser to reject cookies. All modern browsers allow you to change your cookie settings. These settings will typically be found in the ‘options’ or ‘preferences’ menu of your browser. In order to understand these settings you should use the ‘Help’ option in your browser for more details.
Suite Hub Limited (“the Company”) is committed to the practice of responsible corporate behaviour and to complying with all laws, regulations and other requirements which govern the conduct of our operations.
The Company is fully committed to instilling a strong anti-corruption culture and is fully committed to compliance with all anti-bribery and anti-corruption legislation including, but not limited to, the Bribery Act 2010 (“the Act”) and ensures that no bribes or other corrupt payments, inducements or similar are made, offered, sought or obtained by us or anyone working on our behalf.
Bribery is defined as the giving or promising of a financial or other advantage to another party where that advantage is intended to induce the other party to perform a particular function improperly, to reward them for the same, or where the acceptance of that advantage is in itself improper conduct.
Bribery is also deemed to take place if any party requests or agrees to receive a financial or other advantage from another party where that advantage is intended to induce that party to perform a particular function improperly, where the acceptance of that advantage is in itself improper conduct, or where that party acts improperly in anticipation of such advantage.
Bribery of a foreign official is defined as the giving or promising of a financial or other advantage which is intended to influence the official in order to obtain business or an advantage in the conduct of business unless the foreign official is required or permitted by law to be influenced by such advantage.
Anyone or any organisation found guilty of bribery under the Act may face fines and/or prison terms. In addition, high legal costs and adverse publicity are likely to result from any breach of the Act.
For employees of the Company, failure to comply with this Policy and/or with the Act may result in:
disciplinary action which may include dismissal; and
criminal penalties under the Act which may result in a fine and/or imprisonment for up to 10 years.
For the Company, any breach of this Policy by any employee or business associate may result in:
the Company being deemed to be in breach of the Act;
the Company being subject to fines; and
the Company suffering negative publicity and further associated damage as a result of such breach.
Responsibility for Compliance and Scope of Policy
This Policy applies to all employees, agents, contractors, subcontractors, consultants, business partners and any other parties (including individuals, partnerships and bodies corporate) associated with the Company or any of its subsidiaries.
It is the responsibility of all of the abovementioned parties to ensure that bribery is prevented, detected and reported and all such reports should be made in accordance with the Company’s Whistleblowing Policy or as otherwise stated in this Policy, as appropriate.
No party described in section 4.1 may:
give or promise any financial or other advantage to another party (or use a third party to do the same) on the Company’s behalf where that advantage is intended to induce the other party to perform a particular function improperly, to reward them for the same, or where the acceptance of that advantage will in itself constitute improper conduct;
request or agree to receive any financial or other advantage from another party where that advantage is intended to induce the improper performance of a particular function, where the acceptance of that advantage will in itself constitute improper conduct, or where the recipient intends to act improperly in anticipation of such an advantage.
Parties described in section 4.1 must:
be aware and alert at all times of all bribery risks as described in this Policy and in particular as set out in section 9 below;
exercise due diligence at all times when dealing with third parties on behalf of the Company; and
report any and all concerns relating to bribery to Gary Moore, Managing Director, or, in the case of non-employees, their normal point of contact within the Company, or otherwise in accordance with the Company’s Whistleblowing Policy.
A facilitation payment is defined as a small payment made to officials in order to ensure or speed up the performance of routine or necessary functions.
Facilitation payments constitute bribes and, subject to section 5.3, may not be made at any time irrespective of prevailing business customs in certain territories.
Facilitation or similar payments may be made in limited circumstances where your life is in danger but under no other circumstances. Any payment so made must be reported to Gary Moore, Managing Director as soon as is reasonably possible and practicable.
Gifts and hospitality remain a legitimate part of conducting business and should be provided only in compliance with the Company’s Gifts and Hospitality Policy.
Gifts and hospitality can, when excessive, constitute a bribe and/or a conflict of interest. Care and due diligence should be exercised at all times when giving or receiving any form of gift or hospitality on behalf of the Company.
The following general principles apply:
Gifts and hospitality may neither be given nor received as rewards, inducements or encouragement for preferential treatment or inappropriate or dishonest conduct.
Neither gifts nor hospitality should be actively sought or encouraged from any party, nor should the impression be given that the award of any business, custom, contract or similar will be in any way conditional on gifts or hospitality.
Cash should be neither given nor received as a gift under any circumstances.
Gifts and hospitality to or from relevant parties should be generally avoided at the time of contracts being tendered or awarded.
The value of all gifts and hospitality, whether given or received, should be proportionate to the matter to which they relate and should not be unusually high or generous when compared to prevailing practices in our industry or sector.
Certain gifts which would otherwise be in breach of this Policy and/or the Hospitality and Gifts Policy may be accepted if refusal would cause significant and/or cultural offence, however the Company will donate any gifts accepted for such reasons to a charity of Gary Moore, Managing Directors, choosing.
All gifts and hospitality, whether given or received, must be recorded in the Hospitality & Gifts Register.
Charitable donations are permitted only to registered (non-profit) charities. No charitable donations may be given to any organisation which is not a registered charity.
All charitable donations must be fully recorded.
Proof of receipt of all charitable donations must be obtained from the recipient organisation.
Under no circumstances may charitable donations be made in cash.
No charitable donation may be made at the request of any party where that donation may result in improper conduct.
The Company does not make political donations and the Company is not affiliated with any political party, independent candidate, or with any other organisation whose activities are primarily political.
Employees and other associated parties are free to make personal donations provided such payments are not purported to be made on behalf of the Company and are not made to obtain any form of advantage in any business transaction.
The following issues should be considered with care in any and all transactions, dealings with officials, and other business matters concerning third parties:
Territorial risks, particularly the prevalence of bribery and corruption in a particular country;
Cross-border payments, particularly those involving territories falling under section 9.1;
Requests for cash payment, payment through intermediaries or other unusual methods of payment;
Activities requiring the Company and / or any associated party to obtain permits or other forms of official authorisation;
Transactions involving the import or export of goods;
Suite Hub Limited is a UK registered company providing serviced accommodation. The business of the Company is low risk in relation to money laundering, however in order to prevent any of our services being used (or potentially used) for any money laundering activity, as well as any of our staff being exposed to money laundering, we wish to put in place the following anti-money laundering policy which supplements the anti-money laundering training given to all members of staff.
The broad definition of money laundering means that potentially anyone could commit a money laundering offence, this includes all employees of the Company, all temporary staff and contractors.
Our policy is to enable the Company to meet its legal and regulatory requirements in a way which is proportionate to the low risk nature of the business, by taking reasonable steps to minimise the likelihood of money laundering occurring.
All employees must be familiar with their legal responsibilities and failure to comply with this Policy may lead to disciplinary action.
The principal primary legislation is The Proceeds of Crime Act 2002 (POCA), which consolidated, updated and reformed criminal law with regard to money laundering, supplemented by the Terrorism Act 2000 and the Fraud Act 2006. The principal secondary legislation is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019.
Money laundering can be defined as the process to move illegally acquired cash through financial systems so that it appears to be from a legitimate source. Money laundering offences include: concealing, disguising, converting, transferring criminal property or removing it from the UK (Section 327 POCA); entering into or becoming concerned in an arrangement which you know or suspect facilitates the acquisition, retention, use or control of criminal property by or on behalf of another person (Section 328 POCA); and acquiring, using or possessing criminal property (Section 329 POCA).
There are also several secondary offences, failure to disclose knowledge or suspicion of money laundering to the Money Laundering Reporting Officer (MLRO); failure by the MLRO to disclose knowledge or suspicion of money laundering to the National Crime Agency; and ‘tipping off’ whereby somebody informs a person or persons who are, or who are suspected of being involved in money laundering, in such a way as to reduce the likelihood of their being investigated or prejudicing an investigation.
Any member of staff could potentially be caught by the money laundering provisions, if they suspect money laundering and either become involved with it in some way, and/or do nothing about it. This Policy sets out how any concerns should be raised.
Money Laundering Reporting Officer (MLRO)
The Company will appoint a MLRO to receive disclosures about money laundering activity and be responsible for anti-money laundering activity within the Company. The officer nominated to do this is the Managing Director.
The Company will also appoint a deputy MLRO who will be responsible in the absence of the nominated officer. The deputy MLRO is the Commercial Director.
The MLRO will ensure that appropriate training and awareness is provided to new and existing staff and suppliers and that this is reviewed and updated as required.
The MLRO will ensure that appropriate anti-money laundering systems and processes are incorporated by the Company.
Suspicions of Money Laundering
All staff and suppliers must immediately report any knowledge of or suspicion of (or where there are reasonable grounds to suspect) suspicious activity to the MLRO in the prescribed form as set out in this policy document.
Once the matter has been reported to the MLRO, the employee or supplier must follow the directions given to them and must NOT make any further enquiry into the matter.
The employee/supplier must NOT voice any suspicions to the person(s) whom they suspect of money laundering, as this may result in the commission of the offence of “tipping off”. They must NOT discuss the matter with others or note on the file that a report has been made to the MLRO in case this results in the suspect becoming aware of the situation.
Consideration of the Disclosure by the MLRO
Once the MLRO has received the report, it must be evaluated in a promptly manner in order to determine whether:
There is actual or suspected money laundering taking place; or
There are reasonable grounds to know or suspect that this is the case; and
Whether the MLRO needs to lodge a Suspicious Activity Report (SAR) with the National Crime Agency (the NCA).
Where the MLRO concludes that there are no reasonable grounds to suspect money laundering then consent will be given for any on-going or imminent transaction(s) to proceed.
Where consent is required from the NCA for a transaction to proceed, then the transaction(s) in question must not be undertaken or completed until the NCA has given specific consent, or there is deemed consent through the expiration of the relevant time limits without objection from the NCA.
All disclosure reports referred to the MLRO and reports made to the NCA will be retained by the MLRO in a confidential file kept for that purpose, for a minimum of 5 years.
The MLRO must also consider whether additional notifications and reports to other relevant enforcement agencies should be made.
Customer Identification and Due Diligence
Due diligence is performed on all customers and suppliers who must provide basic information including full names, business addresses and registration details of corporate bodies.
Enhanced Due Diligence
It may be necessary for the Company to carry out enhanced due diligence on certain customers or suppliers where the customer/supplier or a transaction involving the customer/supplier appears to be “high risk”. This means that there is a higher level of identification and verification of the customer’s identity required. The following non-exhaustive list of situations may indicate a “high risk”:
a new customer;
a customer not well known to the Company;
customers in known high risk industries and/or jurisdictions;
transactions that are unusual or appear to be unusual for that customer;
highly complex transaction or payment arrangements;
the transaction involves a politically exposed person (“PEP”) or an immediate family member or a close associate of a PEP;
no face to face meetings take place with the customer where this is usually expected; and
Employees and suppliers must assess the money laundering risk for each customer and if you suspect enhanced due diligence is required, you should speak to the MLRO before continuing any engagement with the customer. The MLRO will be required to approve the continuance of the business relationship.
If enhanced due diligence is carried out, the MLRO must:
obtain additional information on the customer and on the customer’s beneficial owner(s);
obtain additional information on the intended nature of the business relationship;
obtain information on the source of funds and source of wealth of the customer and customer’s beneficial owner(s); and
conduct enhanced monitoring of the business relationship.
This may include but is not limited to the following:
checking the organisation website to confirm the identity of personnel, its business address and any other details;
attending the customer at their business address;
obtaining additional information or evidence to establish the identity of the customer and its beneficial owner(s), including checking publicly available beneficial ownership registers of legal entities such as the registers available at Companies House;
in the case of a PEP, seek the approval of senior management and establish the source of wealth and source of funds;
ensure that the first payment is made into a bank account in the customer’s name;
If satisfactory evidence of identity is not obtained at the outset then the business relationship or one-off transaction(s) cannot proceed any further. A report should be filed with the MLRO who will then consider if a report needs to be submitted to the NCA.
Employees and suppliers should review customers at regular intervals to ensure that the risk level of each customer information and information held on each customer is not only accurate and up to date but is consistent with the knowledge of the customer and its business. Further due diligence may be required if new people become involved at a customer. Any suspicious activity must be reported to the MLRO.
Customer details must be collected in accordance with the Data Protection Act 2018. This data can be “processed” as defined under the Data Protection Act 2018 to prevent money laundering and terrorist financing.
Customer identification evidence and details of any relevant transaction(s) for that customer must be retained for at least 5 years from the end of any business relationship with that customer.
This Policy is a supporting document to the GDPR Data Protection Policy of Suite Hub Limited, a company registered in England & Wales under number 6293944, whose registered office is at Clyde House, Reform Road, Maidenhead, Berkshire, SL6 8BY, UK (“the Company”) regarding data protection and the rights of stall, customers and suppliers.
This Policy sets out rules and guidance for all employees, agents, contractors, or other parties working on behalf of the Company regarding the handling of personal data.
“consent” | means the consent of the data subject which must be a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they (by a statement or by a clear affirmative action) signify their agreement to the processing of personal data relating to them; |
“Data Protection Legislation” | means all applicable data protection and privacy laws including, but not limited to, the Data Protection Act 2018, the GDPR, and any applicable national laws, regulations, and secondary legislation in England and Wales concerning the processing of personal data or the privacy of electronic communications, as amended, replaced, or updated from time to time; |
“data subject” | means a living, identified, or identifiable individual about whom the Company holds personal data; |
“personal data” | means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject. Unless otherwise stated, references in this Policy to “personal data” shall also include special category personal data; |
“personal data breach” | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed; |
“processing” | means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
“special category personal data” | means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data. |
Data Protection Officer & Scope of Policy
The Company’s Data Protection Officer is Gary Moore, Managing Director. The Data Protection Officer is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines.
All staff are responsible for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company comply with this Policy and, where applicable, must implement such practices, processes, controls, and training as are reasonably necessary to ensure such compliance.
Any questions relating to this Policy, the Company’s collection, processing, or holding of personal data, or to the Data Protection Legislation should be referred to the Data Protection Officer.
The Company collects and processes the personal data set out in Suite Hub’s office addresses.
The Company only collects, processes, and holds personal data for the specific purposes set out in Suite Hub’s office addresses (or for other purposes expressly permitted by the Data Protection Legislation).
The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed).
Employees, agents, contractors, or other parties working on behalf of the Company may collect personal data only to the extent required for the performance of their job duties and only in accordance with this Policy and the Company’s Data Protection Policy. Excessive personal data must not be collected.
Employees, agents, contractors, or other parties working on behalf of the Company may process personal data only when the performance of their job duties requires it. Personal data held by the Company cannot be processed for any unrelated reasons.
The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject.
If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.
For more details about the Company’s approach to Data Protection and the obligations which apply to the Company and to all employees, agents, contractors, or other parties working on behalf of the Company, please refer to the Company’s GDPR Data Protection Policy which includes sections on:
The data protection principles;
The rights of data subjects;
Consent;
The accuracy of personal data and keeping personal data up-to-date;
Personal data retention;
Accountability and record-keeping;
Data protection impact assessments;
Privacy by design;
Keeping data subjects informed about their personal data and our use of it;
Data subject access requests;
Rectification of personal data;
Erasure of personal data;
Restricting personal data processing;
Personal data portability;
Objections to personal data processing;
Automated personal data processing, decision-making, and profiling;
Marketing;
Details of the personal data collected, held, and processed by the Company;
Data security;
Organisational security;
Transferring personal data to countries located outside of the European Economic Area; and
Handling data breaches;
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which shall be taken are set out below in Part 6.
Data security must be maintained at all times by protecting the confidentiality, integrity, and availability of all personal data as follows:
only those with a genuine need to access and use personal data and who are authorised to do so may access and use it;
personal data must be accurate and suitable for the purpose or purposes for which it is collected, held, and processed; and
authorised users must always be able to access the personal data as required for the authorised purpose or purposes.
All personal data must be handled in accordance with the requirements of the Data Protection Legislation, the Company’s Data Protection Policy, and other related policies.
All emails containing personal data must be encrypted
All emails containing personal data must be marked “confidential”.
Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances.
Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable.
Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted
Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data.
Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient
All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.
All electronic copies of personal data should be stored securely using passwords and data encryption.
All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar.
All personal data stored electronically should be backed up quarterly with backups stored on cloud-based servers. All backups should be encrypted.
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.
No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of Gary Moore, Managing Director and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary.
No personal data should be transferred to any computer or device personally belonging to an employee, agent, contractor, or other party working on behalf of the Company and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Data Protection Legislation (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).
No personal data may be shared informally and if an employee, agent, contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Gary Moore, Managing Director.
No personal data may be shared with or transferred to any employee, agent, contractor, or other party, whether such parties are working on behalf of the Company or not, without the authorisation of Gary Moore, Managing Director only then if the sharing or transfer is secure, lawful, and fair. Personal data shared with third parties must be covered by a suitable written agreement to ensure compliance with the Data Protection Legislation.
Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, contractors, or other parties at any time.
If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Gary Moore, Managing Director to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.
All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords.
Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.
Under no circumstances should any passwords relating to Company systems and/or personal data be saved on any computer or device [that is not Company-owned]. This includes saving passwords in internet browsers and in third-party password manager applications.
Under no circumstances should any computer or device used for accessing or handling personal data be used without the correct security functions enabled including, as appropriate, passwords, PIN codes, biometric security (e.g. fingerprint), and any additional security software provided by the Company.
All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates as soon as reasonably and practically possible.
No software may be installed on any Company-owned computer or device without the prior approval of the IT Department. Notwithstanding the above in 6.25, only the Company’s IT staff shall be permitted to install software updates. Users who are not part of the IT staff or do not have the authorisation of the IT staff shall not install software updates themselves. Automatic updates (as enabled by the IT staff) are permitted.
If any computer or device used to access or store personal data, whether personal or Company-owned, is lost or stolen, the loss or theft must be reported to IT Department as soon as possible, and all assistance required provided with any investigation.
All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the Data Protection Legislation and under all applicable Company policies, including (but not limited to) this Policy and the Data Protection Policy.
Only employees, agents, contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company.
All sharing of personal data shall comply with the information provided to the relevant data subjects and, if required, the consent of such data subjects shall be obtained prior to the sharing of their personal data.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise.
Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed.
All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy.
The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the Data Protection Legislation and this Policy by contract.
All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the Data Protection Legislation.
Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Accountability and Record-Keeping
The Data Protection Officer is responsible for administering this Policy and for developing and implementing all applicable related policies, procedures, and/or guidelines.
The Company shall follow a privacy by design approach at all times when collecting, holding, and processing personal data. Data Protection Impact Assessments shall be conducted if any processing presents a significant risk to the rights and freedoms of data subjects.
All employees, agents, contractors, or other parties working on behalf of the Company shall be given appropriate training in data protection and privacy, addressing the relevant aspects of the Data Protection Legislation, this Policy, the Company’s Data Protection Policy, and all other applicable Company policies.
The Company’s data protection compliance shall be regularly reviewed and evaluated by means of Data Protection Audits.
The Company shall keep written internal records of all personal data collection, holding, and processing.
This Policy shall be deemed effective as of 20th January 2020. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
Environmental Policy
The Environmental Policy of Suite Hub Limited (“the Company”) is to ensure so far as it is reasonably practicable that its operations will be carried out with a commitment to protecting and enhancing the environment.
As an office we know that we generate a small level of waste paper products. However, as we strive for excellence in every aspect of our business, we are committed to minimising the environmental impacts of the business operation.
Our stated aims are to:
Aim to continuously improve our environmental performance particularly with regards to our recycling and re-use of paper.
Where possible we will use recycled or ecologically friendly paper.
We will use ‘waste’ paper for notepads unless confidentiality may be compromised.
Reduce our consumption of resources and improve the efficiency of those resources by printing double sided where practicable
Manage waste generated from my business operations according to the principles of reduction, re-use and recycling
Recycle all paper products, ink or toner cartridges.
Comply as a minimum with all relevant environmental legislation as well as other environmental requirements.
This Environmental Policy Statement will be regularly reviewed and updated as necessary. The management team endorses these policy statements and is fully committed to their implementation.
It is this Company’s aim that all people should have equal chance and opportunity in life. Therefore this Company is an equal opportunity employer. This means that the Company’s policy is to ensure that no unlawful discrimination occurs, either directly or indirectly, against any person on the grounds of age, gender, gender reassignment, colour, sexual orientation, disability, marital status, race, religion, religious beliefs, ethnic or national origin.
The aim of this policy is to ensure all employees receive fair treatment and equal opportunities at work and are not subjected to prejudicial practice as a result of the Company’s activities. This will ensure equality of opportunity for all potential employees, employees, contractors and customers.
Policy key goals:
Everyone will be treated reasonably, equally, and, with fairness.
The Company will ensure its actions are justified.
The Company will provide a workplace free of discrimination, bullying, harassment and victimisation.
The Company will promote equality and endeavour to eliminate all forms of unlawful and unfair discrimination.
The policy is intended to assist the Company put its commitment into practice.
This policy will aim to give guidance to employees to help them understand acts of discrimination.
This policy applies to any person’s discrimination, but is not limited to the following protected characteristic pregnancy and maternity, marriage and civil partnership, sexual orientation, sex, religion or belief, race gender reassignment, disability, and age.
The Company will:
Work to eliminate unlawful discrimination and harassment against individuals.
Make a commitment to treat employees and customers with dignity and respect.
Promote equality and opportunity.
Promote positive attitudes and good relations between people.
Encourage participation by all.
Take steps to account for disabilities.
Promote different minority groups.
Support equal opportunities in employment and recruitment.
Provide and maintain adequate arrangements to enable employees to raise issues.
Provide employees with equality and opportunities training as part of the induction process.
Equality Act which became law in October 2010 harmonises and replaces previous legislation (such as the Race Relations Act 1976 and the Disability Discrimination Act 1995).
The Equality Act provides a structure to prevent discrimination and promote equality, fairness and uniformity in employment. It is unlawful to treat someone less favourably or discriminate directly or indirectly in recruitment or employment on grounds of a protected characteristic i.e. pregnancy and maternity, marriage and civil partnership, sexual orientation, sex, religion or belief, race gender reassignment, disability, and age.
A descriptive term for an approach intended not to exclude but to ensure fairness. To entitle all to be treated equally and fairly and to provide with the same opportunities as colleagues, irrespective of your sex, marital status, disability, race, colour, nationality, ethnic or national origins, age, pregnancy, sexual orientation, health, political opinion, gender assignment, religion, belief, union membership, or part-time or fixed-term status.
Diversity is a concept that focuses on a broader set of qualities. Diversity refers to human qualities that are different from our own and those of groups to which we belong but that are present in other individuals and groups. Diversity in regard to employment may include but is not limited to age, ethnicity, gender, physical abilities, educational background, experience. The Company respects and includes differences, recognising the unique contributions that individuals can make, the Company aims to make sure that employees come from as diverse backgrounds as the people we provide our services/products to.
The term inclusion in regard to the work environment is a practice of ensuring that everyone in the Company feels connected. People are encouraged to feel they belong, are engaged, and associated through the common goals and objectives of the Company.
Where, a person is treated less favourably than another one. For example, if the Company did not employ a woman because she might have children or where the Company did not consider an Asian employee because of their nationality. It would also be direct discrimination lf the Company did not give the same training to a disabled person because of the lack of wheelchair access.
This is direct discrimination against someone because they associate with another person who possesses a protected characteristic. For example June works as a project manager and is looking forward to a promised promotion. However, after she tells her boss that her mother, who lives at home, has had a stroke, the promotion is withdrawn. This may be discrimination against June because of her association with a disabled person.
This is direct discrimination against an individual because others think they possess a particular protected characteristic. It applies even if the person does not actually possess that characteristic. For example, Jim is 45 but looks much younger. Many people assume that he is in his mid 20s. He is not allowed to represent his company at an international meeting because the Managing Director thinks that he is too young. Jim has been discriminated against on the perception of a protected characteristic.
Where the effect of a requirement or condition imposed by the Company cannot be justified and where that has an unfavourable or unreasonable impact on a group of people.
An example of indirect discrimination is where a Company might place an unnecessary condition or requirement on a particular job to prevent certain people from applying. e.g. that only people who speak fluent English should apply where the job does not clearly require great verbal skills, can be seen as indirectly placing prejudicial conditions on a job.
Harassment is “unwanted conduct related to a relevant protected characteristic, which has the purpose or effect of violating an individual’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment for that individual”.
Harassment applies to all protected characteristics except for pregnancy and maternity and marriage and civil partnership. Employees can complain of behaviour that they find offensive even if it is not directed at them, and the complainant need not possess the relevant characteristic themselves. Employees are also protected from harassment because of perception and association harassment.
Harassment can also include third party harassment of employees by people that are not employees such as customers and clients. It is important to note that it is not the intention of the harasser, but how the recipient perceives their behaviour which determines whether harassment has occurred
A situation, where a person or group of people are targeted with abuse or suffer disadvantage to their employment conditions. Further information can be found on victimisation in the Company’s Bullying, Harassment and Victimisation Policy.
An individual can deal with policy complaints in various ways, ranging from asking the person to stop their behaviour or discussing a particular problem, to informal discussions with their manager or making a formal complaint.
In respect of each and every complaint everyone:
Shall be entitled to be treated with dignity and respect.
Should receive equality, free from discrimination.
Every employee can be assured that throughout each stage of any complaint, those dealing with it will aim to minimise the anxiety for all those involved in the process.
If an employee feels that they have not been treated in accordance with the policies of the Company the employee is then entitled to raise the matter through the Company Grievance Procedure. Any complaints made will not be taken lightly and will be dealt with promptly and confidentially. If any employee is found to have breached policy then they may be subject to disciplinary action under the Company Disciplinary Procedure.
If an individual or organisation outside the Company, (i.e. not employed by the Company) wishes to make a complaint under this Policy, the Company will investigate and take appropriate action in line with the procedure for dealing with employee complaints.
In some circumstances people are unaware that their behaviour or acts are unacceptable; often, if it is clearly pointed out to them, the problem can quickly be resolved. With this in mind, this policy includes action to deal with complaints informally. It is recommended that any attempt to resolve a complaint informally should be recorded by the employee in case the matter has to be addressed with more formal action.
If the employee feels unable to approach the problem directly on their own, they are advised to seek the support of a co-worker, an appropriate manager or a Trade Union official.
An employee may speak to a manager in confidence, if they wish; the manager will discuss the complaint and undertake an informal investigation into the matter. The manager will then attempt to resolve the situation informally and will highlight any breach of policy. In the case of inappropriate behaviour, it will be explained why such behaviour is unacceptable and made clear that further behaviour of a similar nature may lead to disciplinary action being taken.
In the event that informal resolution of the matter is unsuccessful, or considered inappropriate in the circumstances, the employee may make a formal complaint. Any formal complaint must be made in writing to the complainant’s manager. If the manager is the alleged, the complaint should be directed to the senior management.
The complaint will be acknowledged and investigated promptly; the complaint will be investigated impartially and confidentially. The Company will appoint a suitable and appropriate person, of the same sex if the complainant requests this or it is felt appropriate in the circumstances.
If the allegations are of a serious nature, which may constitute gross misconduct, the Company may consider suspending the alleged. Any subsequent disciplinary proceedings will be in line with the Company Disciplinary Procedure. If the complainant and the alleged work in close proximity to each other, it may be appropriate for the Company to consider moving them to another location or suspending the alleged during the investigation. The alleged, if suspended, will receive full pay.
It is important to note that suspension in this case is not intended to be, nor is it in any way, disciplinary. Suspension would purely enable a full, fair and prompt investigation of the complaint.
The complainant, alleged and witnesses will have the right to be accompanied by a work colleague or a Trade Union representative at any interview which forms part any investigation.
The complainant and the alleged will be informed of any progress of the investigation and the complainant will be consulted if a disciplinary hearing is to be arranged.
Where the evidence gathered in the investigation indicates that a disciplinary offence has been committed, a disciplinary hearing will be arranged in line with the Company’s Disciplinary Procedure. The alleged will be given a minimum of 5 working days written notice of the hearing, details of the allegations and notification of the right to be accompanied at the hearing by a workplace colleague or a Trade Union representative.
Disciplinary action in the form of a warning or dismissal may be given following the disciplinary hearing, in line with the Company Disciplinary Procedure. If disciplinary action is taken the alleged has the right of appeal in accordance with the Company Grievance Procedure.
Any complaints made are expected to be made responsibly and with dignity and respect. However, the Company take false accusations seriously, as they affect innocent individuals. Therefore, if an investigation shows that a false accusation has been made maliciously or in bad faith then disciplinary action will be taken that could lead to dismissal.
Any individual, be they complainants, alleged or witnesses, shall not be subjected to detrimental treatment or victimisation for being part of an ongoing investigation under this procedure.
A complainant may request to be moved to another position or location following a complaint of harassment. This will be accommodated wherever possible.
A complainant may use the Company Grievance Procedure to ask to have their case reviewed, if they feel that the matter was not considered properly. Wherever possible the review will be arranged and conducted by an appropriate level of manager not previously involved in the case.
Any complaint made against an employee, by an individual not employed by the Company, will be investigated in line with the procedure for dealing with complaints outlined in this policy and the Disciplinary Procedure.
If an employee complains of harassment at work by an individual, who is not employed by the Company, the matter will be raised with the appropriate individual or employer and suitable action will be taken by the Company.
All employees have a role to play in enforcing the policy and are required to deal with any observed or reported breaches. Should employees feel apprehensive about their own safety in regard to addressing any breach, they should seek senior management support.
Failure to comply with this policy may lead to a lack of clarity over job role, learning needs or expected standards of performance, resulting in reduced effectiveness or efficiency, underperformance and putting service delivery at risk.
Any member of staff refusing to observe the policy will be liable to disciplinary action in accordance with the Company’s Disciplinary Policy up to and including dismissal.
Overall responsibility for policy implementation and review rests with the Company senior management. However, all employees are required to adhere to and support the implementation of the policy. The Company will inform all existing employees about this policy and their role in the implementation of the policy. They will also give all new employees notice of the policy on induction to the Company.
This policy will be implemented through the development and maintenance of procedures for appraisals and one-to-one meetings, using template forms, and guidance given to both managers and employees on the process.
Suite Hub Limited (“the Company”) is committed to the practice of responsible corporate behaviour.
Through its business practices the Company seeks to protect and promote the human rights and basic freedoms of all its employees and agents.
Further the Company is committed to protecting the rights of all of those whose work contributes to the success of the Company, including those employees and agents of suppliers to the Company.
The Company is also committed to eliminating bribery and corruption. It is essential that all employees and persons associated with the Company adhere to this policy and abstain from giving or receiving bribes of any form.
This policy is non-exhaustive, and all aspects of the Company’s business should be considered in the spirit of this policy.
The Company is vehemently opposed to the use of slavery in all forms; cruel, inhuman or degrading punishments; and any attempt to control or reduce freedom of thought, conscience and religion.
The Company will ensure that all of its employees, agents and contractors are entitled to their human rights as set out in the Universal Declaration of Human Rights and the Human Rights Act 1998.
The Company will not enter into any business arrangement with any person, company or organisation which fails to uphold the human rights of its workers or who breach the human rights of those affected by the organisation’s activities.
The Company is committed to complying with all relevant employment legislation and regulations. The Company regards such regulations and legislation as the minimum rather than the recommended standard.
No worker should be discriminated against on the basis of age, gender, race, sexual orientation, religion or beliefs, gender reassignment, marital status or pregnancy. All workers should be treated equally. Workers with the same experience and qualifications should receive equal pay for equal work.
No worker should be prevented from joining or forming a staff association or trade union, nor should any worker suffer any detriment as a result of joining, or failing to join, any such organisation.
Workers should be aware of the terms and conditions of their employment or engagement from the outset. In particular workers must be made aware of the wage that they receive, when and how it is to be paid, the hours that they must work and any legal limit which exists for their protection and any overtime provisions. Workers should also be allowed such annual leave, sick leave, maternity / paternity leave and such other leave as is granted by legislation as a minimum.
The Company does not accept any corporal punishment, harassment in any form, or bullying in any form.
The Company is committed to keeping the environmental impact of its activities to a minimum and has established an Environmental Policy in order help achieve this aim. Copies of the Environmental Policy are available from the Managing Director
As an absolute minimum, the Company will ensure that it meets all applicable environmental laws in whichever jurisdiction it may be operating.
Conflicts of Interest
The Company holds as fundamental to its success the trust and confidence of those with whom it deals, including clients, suppliers and employees. Conflicts of interest potentially undermine the relationship of the Company with its partners.
In order to help preserve and strengthen these relationships the Company has developed a Corporate Hospitality and Gifts Policy, which provide rules and guidelines concerning the conduct of its officers and employees aimed at minimising the possibility of conflicts of interest and at avoiding risks associated with bribery and corruption. Copies of the Corporate Hospitality and Gifts Policy are available from the Managing Director.
All officers, employees and representatives of the Company are expected to act honestly and within the law.
Information and Confidentiality
Information received by employees, contractors or agents of the Company will not be used for any personal gain, nor will it be used for any purpose beyond that for which it was given.
The Company will at all times ensure that it complies with all applicable requirements of the Data Protection Legislation. “Data Protection Legislation” means (1) unless and until General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time) in the UK and subsequently (2) any legislation which succeeds the GDPR.
The Company, its officers, employees and representatives are committed to ensuring that no act or omission which is within their power and which would have the effect of deliberately, negligently or recklessly misleading the shareholders, creditors or other investors in the Company occurs.
The Company expects all suppliers and partners to work towards and uphold similar ethical and moral standards.
The Company will investigate the ethical record of potential new suppliers before entering into any agreement. Further, the Company reserves the right to request information from suppliers regarding the production and sources of goods supplied.
The Company reserves the right to withdraw from any agreement or other arrangement with any supplier or partner who is found to have acted in contravention of the spirit or principles of this Ethical Policy.
The Company is fundamentally opposed to any acts of bribery and to the making of facilitation payments as defined by the Bribery Act 2010.
Employees and any other persons associated with the Company such as agents, subsidiaries and business partners are not permitted to either offer or receive any type of bribe and/or facilitation payment.
All employees are encouraged to report any suspicion of corruption or bribery within the Company in accordance with the Whistleblowing Policy available from the Managing Director
Should any employee or associated person be in doubt when receiving or issuing gifts and hospitality, he/she must refer to the Gift and Hospitality Policy available from the Managing Director
The Company uses its reasonable endeavours to implement the guidance principles on bribery management that are published, from time to time, by Secretary of State in accordance with Section 9 of the Bribery Act 2010.
If an employee or associated person is found guilty of giving or receiving a bribe, he/she will be personally criminally liable and may be subject to disciplinary action.
Anyone found guilty of bribery, will be responsible for bearing any related remedial costs such as losses, court fees or expenses.
How do we Engage in and Promote Fair Trade?
As a fair trade organization, we have a commitment to fair trade as the principal core of our mission.
We make every effort to conduct business in accordance with our fair trade policy and to the highest ethical standards.
We aim to ensure that every accommodation product we supply is sourced and obtained in accordance with our fair trade policy and those ethical standards, in an acceptable manner, in accordance with current best practices, and in particular lawfully, through fair and honest dealing, without exploiting the people who made/built and operate/manage the accommodation product, in decent working conditions, and with environmental impact during production and transportation being reduced.
We endeavour to ensure that all of our suppliers and their sources adhere to our fair trade policy but recognise that it is not possible to provide absolute assurance that suppliers will do so. Where we identify transgressions by any supplier we try to work with them to develop an appropriate remediation programme. However we will stop using any supplier who we find persistently contravenes our fair trade policy or fails to implement an agreed remediation programme.
Our fair trade policy, as follows, is based on the World Fair Trade Organization’s 10 principles.
We aim to create opportunities for wholly independent, but economically disadvantaged suppliers who would not normally be able to access markets in economically developed countries.
We aim to ensure that the quality of each type of accommodation product that we source is the best available from that country and area.
The quantities of some of the accommodation products that we source from such suppliers are sufficient to make a real difference to their business.
We work with our suppliers to create a happy, trusting and long-term relationship with them. We aim to help our suppliers where possible to have a dependable and regular source of income which helps them create a secure and stable lifestyle.
We help market our suppliers products by emphasizing to our customers and prospective customers the craftsmanship, cultural influence and skills involved which make their products special.
Transparency and Accountability
Certain commercial information needs to remain confidential, but, subject to that, we aim to act with transparency and accountability in all our dealings with our suppliers and we have open discussions with them about our and their business plans and their aspirations.
We agree and pay our suppliers for accommodation products a fair price which is acceptable to them and which ensures that they are adequately compensated for their work and skill.
We adopt fair trade practices in our dealings with our suppliers.
We make payment to our suppliers on time and in full.
Ensuring no Child Labour or Forced Labour is Employed
We ensure that no child labour is used in the making of accommodation products that we sell/offer. For this purpose, we adopt the same age used by the International Labour Organization Convention No. 138 to define “child”, namely the age of 15 years, or, where any such product is produced or worked on in any country where the minimum age for completion of compulsory schooling is greater than 15, then we apply that greater age instead.
We are aware that some of many of the artisan skills involved in producing some of our products have been traditionally passed down through generations. However, we ensure that where any children are involved in learning any such skills, it is only in the context of apprenticeships and education-related work which are legitimate and legally sanctioned in their country and that it will not adversely affect their well-being, security, education, or development.
Further, we make sure that where any person who is under 18 but 15 or over (or if greater, the minimum age for completion of compulsory schooling in their country) is involved in producing, servicing or maintaining any of the accommodation products that we sell, neither the nature of their work nor the circumstances in which it is carried out is likely to jeopardise their health, safety or morals.
We ensure that forced labour, whether in the form of prison, bonded or uncompensated labour is not used.
Commitment to Non-Discrimination
We believe in equality and fairness for all and do not discriminate or tolerate discrimination of any type on any basis against any of our employees, regardless of age, sex, race, religion or disability. We also expect our suppliers to do the same and to provide equal opportunities and pay for all.
Ensuring Good Working Conditions
Our own employees enjoy good general working conditions, and in particular a safe and healthy environment.
We require our suppliers to meet their local laws on working conditions, welfare health and safety, minimum wages, hours of work, overtime and deductions.
We require our suppliers to make every effort to ensure that:
accidents or injury in the workplace are prevented;
health and safety procedures are implemented and employees are regularly trained and tested in what to do in certain situations;
there is always adequate lighting and ventilation;
clean drinking water is always available.
We do our best to both raise awareness of our suppliers of health and safety of employees, and to encourage them to improve their health and safety practices.
We require our own employees to treat all of their colleagues with respect and dignity, and ensure that no employee is treated with threatening behaviour, physical punishment or any form of mental or verbal abuse. We also require our suppliers to do the same.
We require our suppliers to ensure that their employees have the right to associate or unionise with any organization that is legal in their country.
We try to help our suppliers grow their business by providing them with any advice, training or contacts that we can, and by working with them to build capacity through development of management skill and access to other markets.
We want to spread the word that fair trade is the best way to trade, and we communicate this as much as possible.
We minimize our environmental impact and help our suppliers to do the same by returning to the manufacturer toner cartridges from laser printers that we use, recycling cardboard waste, using recyclable plastic bags, reducing our use of paper.
We are continuing to develop our environment practices in the production of the items that we sell.
This Policy sets out the obligations of Suite Hub Limited, a company registered in England & Wales of the United Kingdom under number 6293944 whose registered office is at Clyde House, Reform Road, Maidenhead, SL6 8BY (“the Company”) regarding data protection and the rights of staff, business clients, guests and suppliers (“data subjects”) in respect of their personal data under Data Protection Law (all legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications including, but not limited to, EU Regulation 2016/679 General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, and any successor legislation or other directly applicable EU regulation relating to data protection and privacy for as long as, and to the extent that, EU law has legal effect in the UK).
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
“consent” | means the consent of the data subject which must be a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them; |
“data controller” | means the natural or legal person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Company is the data controller of all personal data relating to Data Subjects used in our business for our commercial purposes; |
“data processor” | means a natural or legal person or organisation which processes personal data on behalf of a data controller; |
“data subject” | means a living, identified, or identifiable natural person about whom the Company holds personal data; |
“EEA” | means the European Economic Area, consisting of all EU Member States, Iceland, Liechtenstein, and Norway; |
“personal data” | means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject; |
“personal data breach” | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed; |
“processing” | means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
“pseudonymisation” | means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person; and |
“special category personal data” | means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data. |
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
The Company’s Data Protection Officer is Gary Moore. The Data Protection Officer is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines.
All staff are responsible for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company comply with this Policy and, where applicable, must implement such practices, processes, controls, and training as are reasonably necessary to ensure such compliance.
Any questions relating to this Policy or to Data Protection Law should be referred to the Data Protection Officer. In particular, the Data Protection Officer should always be consulted in the following cases:
if there is any uncertainty relating to the lawful basis on which personal data is to be collected, held, and/or processed;
if consent is being relied upon in order to collect, hold, and/or process personal data;
if there is any uncertainty relating to the retention period for any particular type(s) of personal data;
if any new or amended privacy notices or similar privacy-related documentation are required;
if any assistance is required in dealing with the exercise of a data subject’s rights (including, but not limited to, the handling of subject access requests);
if a personal data breach (suspected or actual) has occurred;
if there is any uncertainty relating to security measures (whether technical or organisational) required to protect personal data;
if personal data is to be shared with third parties (whether such third parties are acting as data controllers or data processors);
if personal data is to be transferred outside of the EEA and there are questions relating to the legal basis on which to do so;
when any significant new processing activity is to be carried out, or significant changes are to be made to existing processing activities, which will require a Data Protection Impact Assessment;
when personal data is to be used for purposes different to those for which it was originally collected;
if any automated processing, including profiling or automated decision-making, is to be carried out; or
if any assistance is required in complying with the law applicable to direct marketing.
The Data Protection Principles
This Policy aims to ensure compliance with Data Protection Law. The GDPR sets out the following principles with which any party handling personal data must comply. Data controllers are responsible for, and must be able to demonstrate, such compliance. All personal data must be:
processed lawfully, fairly, and in a transparent manner in relation to the data subject;
collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject;
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
The GDPR sets out the following key rights applicable to data subjects:
The right to be informed;
the right of access;
the right to rectification;
the right to erasure (also known as the ‘right to be forgotten’);
the right to restrict processing;
the right to data portability;
the right to object; and
rights with respect to automated decision-making and profiling.
Lawful, Fair, and Transparent Data Processing
Data Protection Law seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. Specifically, the GDPR states that processing of personal data shall be lawful if at least one of the following applies:
the data subject has given consent to the processing of their personal data for one or more specific purposes;
the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
the processing is necessary for compliance with a legal obligation to which the data controller is subject;
the processing is necessary to protect the vital interests of the data subject or of another natural person;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
If the personal data in question is special category personal data (also known as “sensitive personal data”), at least one of the following conditions must be met:
the data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);
the processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);
the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
the data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;
the processing relates to personal data which is manifestly made public by the data subject;
the processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
the processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
the processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;
the processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or
the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
If consent is relied upon as the lawful basis for collecting, holding, and/or processing personal data, the following shall apply:
Consent is a clear indication by the data subject that they agree to the processing of their personal data. Such a clear indication may take the form of a statement or a positive action. Silence, pre-ticked boxes, or inactivity are unlikely to amount to consent.
Where consent is given in a document which includes other matters, the section dealing with consent must be kept clearly separate from such other matters.
Data subjects are free to withdraw consent at any time and it must be made easy for them to do so. If a data subject withdraws consent, their request must be honoured promptly.
If personal data is to be processed for a different purpose that is incompatible with the purpose or purposes for which that personal data was originally collected that was not disclosed to the data subject when they first provided their consent, consent to the new purpose or purposes may need to be obtained from the data subject.
If special category personal data is processed, the Company shall normally rely on a lawful basis other than explicit consent. If explicit consent is relied upon, the data subject in question must be issued with a suitable privacy notice in order to capture their consent.
In all cases where consent is relied upon as the lawful basis for collecting, holding, and/or processing personal data, records must be kept of all consents obtained in order to ensure that the Company can demonstrate its compliance with consent requirements.
Specified, Explicit, and Legitimate Purposes
The Company collects and processes the personal data set out in Part 24 of this Policy. This includes:
personal data collected directly from data subjects and
personal data obtained from third parties.
The Company only collects, processes, and holds personal data for the specific purposes set out in Part 24 of this Policy (or for other purposes expressly permitted by the GDPR).
Data subjects must be kept informed at all times of the purpose or purposes for which the Company uses their personal data. Please refer to Part 15 for more information on keeping data subjects informed.
Adequate, Relevant, and Limited Data Processing
The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed) as under Part 8, above, and as set out in Part 24, below.
Employees, agents, contractors, or other parties working on behalf of the Company may collect personal data only to the extent required for the performance of their job duties and only in accordance with this Policy. Excessive personal data must not be collected.
Employees, agents, contractors, or other parties working on behalf of the Company may process personal data only when the performance of their job duties requires it. Personal data held by the Company cannot be processed for any unrelated reasons.
Accuracy of Data and Keeping Data Up-to-Date
The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject, as set out in Part 17, below.
The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which shall be taken are provided in Parts 25 to 30 of this Policy.
All technical and organisational measures taken to protect personal data shall be regularly reviewed and evaluated to ensure their ongoing effectiveness and the continued security of personal data.
Data security must be maintained at all times by protecting the confidentiality, integrity, and availability of all personal data as follows:
only those with a genuine need to access and use personal data and who are authorised to do so may access and use it;
personal data must be accurate and suitable for the purpose or purposes for which it is collected, held, and processed; and
authorised users must always be able to access the personal data as required for the authorised purpose or purposes.
Accountability and Record-Keeping
The Data Protection Officer is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines.
The Company shall follow a privacy by design approach at all times when collecting, holding, and processing personal data. Data Protection Impact Assessments shall be conducted if any processing presents a significant risk to the rights and freedoms of data subjects (please refer to Part 14 for further information).
All employees, agents, contractors, or other parties working on behalf of the Company shall be given appropriate training in data protection and privacy, addressing the relevant aspects of Data Protection Law, this Policy, and all other applicable Company policies.
The Company’s data protection compliance shall be regularly reviewed and evaluated by means of Data Protection Audits.
The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
the name and details of the Company, its Data Protection Officer, and any applicable third-party data transfers (including data processors and other data controllers with whom personal data is shared);
the purposes for which the Company collects, holds, and processes personal data;
the Company’s legal basis or bases (including, but not limited to, consent, the mechanism(s) for obtaining such consent, and records of such consent) for collecting, holding, and processing personal data;
details of the categories of personal data collected, held, and processed by the Company, and the categories of data subject to which that personal data relates;
details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards;
details of how long personal data will be retained by the Company (please refer to the Company’s Data Retention Policy);
details of personal data storage, including location(s);
detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.
Data Protection Impact Assessments and Privacy by Design
In accordance with the privacy by design principles, the Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and where the processing involved is likely to result in a high risk to the rights and freedoms of data subjects.
The principles of privacy by design should be followed at all times when collecting, holding, and processing personal data. The following factors should be taken into consideration:
the nature, scope, context, and purpose or purposes of the collection, holding, and processing;
the state of the art of all relevant technical and organisational measures to be taken;
the cost of implementing such measures; and
the risks posed to data subjects and to the Company, including their likelihood and severity.
Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:
the type(s) of personal data that will be collected, held, and processed;
the purpose(s) for which personal data is to be used;
the Company’s objectives;
how personal data is to be used;
the parties (internal and/or external) who are to be consulted;
the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
risks posed to data subjects;
risks posed both within and to the Company; and
proposed measures to minimise and handle identified risks.
Keeping Data Subjects Informed
The Company shall provide the information set out in Part 15.2 to every data subject:
where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and
where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:
if the personal data is used to communicate with the data subject, when the first communication is made; or
if the personal data is to be transferred to another party, before that transfer is made; or
as soon as reasonably possible and in any event not more than one month after the personal data is obtained.
The following information shall be provided in the form of a privacy notice:
details of the Company including, but not limited to, contact details, and the names and contact details of any applicable representatives and its Data Protection Officer;
the purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 24 of this Policy) and the lawful basis justifying that collection and processing;
where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;
where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
where the personal data is to be transferred to one or more third parties, details of those parties;
where the personal data is to be transferred to a third party that is located outside of the EEA, details of that transfer, including but not limited to the safeguards in place (see Part 31 of this Policy for further details);
details of applicable data retention periods;
details of the data subject’s rights under the GDPR;
details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time;
details of the data subject’s right to complain to the Information Commissioner’s Office (the “supervisory authority” under the GDPR);
where the personal data is not obtained directly from the data subject, details about the source of that personal data;
where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and
details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.
Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.
Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer.
Responses to SARs must normally be made within one month of receipt, however, this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
All SARs received shall be handled by the Company’s Data Protection Officer.
The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
Rectification of Personal Data
Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.
The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.
Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:
it is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;
the data subject wishes to withdraw their consent to the Company holding and processing their personal data;
the data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 21 of this Policy for further details concerning the right to object);
the personal data has been processed unlawfully;
the personal data needs to be erased in order for the Company to comply with a particular legal obligation.
Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
Restriction of Personal Data Processing
Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
The Company processes personal data using automated means.
Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).
To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects in the following format[s]:
Microsoft Excel.
Microsoft Word.
Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.
All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.
Objections to Personal Data Processing
Data subjects have the right to object to the Company processing their personal data based on legitimate interests, for direct marketing (including profiling).
Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing promptly.
Automated Processing, Automated Decision-Making, and Profiling
The Company uses personal data for profiling purposes as follows:
Email Marketing Segmentation.
CRM Contact record profiling
The activities described in this Part 22 are generally prohibited under Data Protection Law where the resulting decisions have a legal or similarly significant effect on data subjects unless one of the following applies:
the data subject has given their explicit consent;
the processing is authorised by law; or
the processing is necessary for the entry into, or performance of, a contract between the Company and the data subject.
If special category personal data is to be processed in this manner, such processing can only be carried out if one of the following applies:
the data subject has given their explicit consent; or
the processing is necessary for reasons of substantial public interest.
Where decisions are to be based solely on automated processing (including profiling), data subjects have the right to object, to challenge such decisions, request human intervention, to express their own point of view, and to obtain an explanation of the decision from the Company. Data subjects must be explicitly informed of this right at the first point of contact.
In addition to the above, clear information must be provided to data subjects explaining the logic involved in the decision-making or profiling, and the significance and envisaged consequences of the decision or decisions.
When personal data is used for any form of automated processing, automated decision-making, or profiling, the following shall apply:
appropriate mathematical or statistical procedures shall be used;
technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected; and
all personal data to be processed in this manner shall be secured in order to prevent discriminatory effects arising (see Parts 25 to 30 of this Policy for more details on data security and organisational measures).
The Company is subject to certain rules and regulations when marketing it services.
The prior consent of data subjects is required for electronic direct marketing including email, text messaging, and automated telephone calls subject to the following limited exception:
The Company may send marketing text messages or emails to a customer provided that that customer’s contact details have been obtained in the course of a sale, the marketing relates to similar products or services, and the customer in question has been given the opportunity to opt-out of marketing when their details were first collected and in every subsequent communication from the Company.
The right to object to direct marketing shall be explicitly offered to data subjects in a clear and intelligible manner and must be kept separate from other information in order to preserve its clarity.
If a data subject objects to direct marketing, their request must be complied with promptly. A limited amount of personal data may be retained in such circumstances to the extent required to ensure that the data subject’s marketing preferences continue to be complied with.
Personal Data Collected, Held, and Processed
The following personal data is collected, held, and processed by the Company (for details of data retention, please refer to the Company’s Data Retention Policy):
Data Ref. | Type of Data | Purpose of Data |
GDPR-101 | Customer (Booker of accommodation) Name | To identify who is entering into a booking contract with Suite Hub |
GDPR-102 | Customer (Booker of accommodation) Email | For direct communication |
GDPR-103 | Customer (Booker of accommodation) Tel | For direct communication |
GDPR-104 | Customer (Booker of accommodation) Billing Address | To apply to invoices |
GDPR-105 | Guest (occupant of accommodation) Name | To identify who is travelling and occupying accommodation supplied |
GDPR-106 | Guest (occupant of accommodation) Email | For direct and supplier communication |
GDPR-107 | Guest (occupant of accommodation) Tel | For direct and supplier communication |
GDPR-108 | Guest (occupant of accommodation) Passport Copy | For suppliers legal due diligence and duty where required |
GDPR-109 | Supplier (Provider of accommodation) Name | To identify who is entering into and authorising a contract with Suite Hub. |
GDPR-110 | Supplier (Provider of accommodation) Email | For direct communication |
GDPR-111 | Supplier (Provider of accommodation) Tel | For direct communication |
Data Security – Transferring Personal Data and Communications
The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:
All emails containing personal data must be encrypted.
All emails containing personal data must be marked “confidential”;
Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted
Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient
All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”;
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
All electronic copies of personal data should be stored securely using passwords and data encryption;
All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;
All personal data stored electronically should be backed up quarterly with backups stored on cloud-based servers All backups should be encrypted.
No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary];
No personal data should be transferred to any device personally belonging to an employee, agent, contractor, or other party working on behalf of the Company and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken);
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.
Data Security – Use of Personal Data
The Company shall ensure that the following measures are taken with respect to the use of personal data:
No personal data may be shared informally and if an employee, agent, contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Gary Moore, Managing Director.
No personal data may be transferred to any employee, agent, contractor, or other party, whether such parties are working on behalf of the Company or not, without the authorisation of Gary Moore, Managing Director
Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, contractors, or other parties at any time;
If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;
Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Gary Moore, Managing Director, to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS;
The Company shall ensure that the following measures are taken with respect to IT and information security:
All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords.
Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates as soon as reasonably and practically possible.
No software may be installed on any Company-owned computer or device without the prior approval of the IT Department.
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under Data Protection Law and under this Policy, and shall be provided with a copy of this Policy;
Only employees, agents, contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;
All sharing of personal data shall comply with the information provided to the relevant data subjects and, if required, the consent of such data subjects shall be obtained prior to the sharing of their personal data;
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;
Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy;
The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of Data Protection Law and this Policy by contract;
All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and Data Protection Law;
Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure;
Transferring Personal Data to a Country Outside the EEA
The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.
The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:
the transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
the transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
the transfer is made with the informed and explicit consent of the relevant data subject(s);
the transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
the transfer is necessary for important public interest reasons;
the transfer is necessary for the conduct of legal claims;
the transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
the transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.
All personal data breaches must be reported immediately to the Company’s Data Protection Officer.
If an employee, agent, contractor, or other party working on behalf of the Company becomes aware of or suspects that a personal data breach has occurred, they must not attempt to investigate it themselves. Any and all evidence relating to the personal data breach in question should be carefully retained.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 32.3) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
Data breach notifications shall include the following information:
The categories and approximate number of data subjects concerned;
The categories and approximate number of personal data records concerned;
The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);
The likely consequences of the breach;
Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
This Policy shall be deemed effective as of 20th Jan 2020. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This document sets out the measures to be taken by all employees of Suite Hub Limited (the “Company”) and by the Company as a whole in order to protect the Company’s computer systems, devices, infrastructure, computing environment and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.
All IT Systems are to be protected against unauthorised access.
All IT Systems are to be used only in compliance with relevant Company Policies.
All employees of the Company and any and all third parties authorised to use the IT Systems including, but not limited to, contractors and sub-contractors (collectively, “Users”), must ensure that they are familiar with this Policy and must adhere to and comply with it at all times.
All line managers must ensure that all Users under their control and direction must adhere to and comply with this Policy at all times as required under paragraph 2.3.
All data stored on IT Systems are to be managed securely in compliance with all relevant parts of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) and all other laws governing data protection whether now or in the future in force.
All data stored on IT Systems are to be classified appropriately (including, but not limited to, personal data, sensitive personal data, and confidential information) All data so classified must be handled appropriately in accordance with its classification.
All data stored on IT Systems shall be available only to those Users with a legitimate need for access.
All data stored on IT Systems shall be protected against unauthorised access and/or processing.
All data stored on IT Systems shall be protected against loss and/or corruption.
All IT Systems are to be installed, maintained, serviced, repaired, and upgraded by George Doubinski (the “IT Department”) or by such third party/parties as the IT Department may from time to time authorise.
The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the IT Department unless expressly stated otherwise.
All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the IT Department. [Any breach which is either known or suspected to involve personal data shall be reported to the Data Protection Officer, Gary Moore.
All Users must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the IT Department. If any such concerns relate in any way to personal data, such concerns must also reported to the Data Protection Officer.
IT Department Responsibilities
The IT Manager, George Doubinski, shall be responsible for the following:
ensuring that all IT Systems are assessed and deemed suitable for compliance with the Company’s security requirements;
ensuring that IT security standards within the Company are effectively implemented and regularly reviewed, working in consultation with the Company’s senior management [and Data Protection Officer, as appropriate,] and reporting the outcome of such reviews to the Company’s senior management;
ensuring that all Users are kept aware of the requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR and the Computer Misuse Act 1990.
The IT Staff shall be responsible for the following:
assisting all Users in understanding and complying with this Policy;
providing all Users with appropriate support and training in IT security matters and use of IT Systems;
ensuring that all Users are granted levels of access to IT Systems that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;
receiving and handling all reports relating to IT security matters and taking appropriate action in response [including, in the event that any reports relate to personal data, informing the Data Protection Officer];
taking proactive action, where possible, to establish and implement IT security procedures and raise User awareness;
assisting the IT Manager in monitoring all IT security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future; and
ensuring that regular backups are taken of all data stored within the IT Systems at intervals no less than quarterly and that such backups are stored at a suitable cloud-based location Dropbox for Business / Microsoft Azure
All Users must comply with all relevant parts of this Policy at all times when using the IT Systems.
All Users must use the IT Systems only within the bounds of UK law and must not use the IT Systems for any purpose or activity which is likely to contravene any UK law whether now or in the future in force.
Users must immediately inform the IT Department (and, where such concerns relate to personal data, the Data Protection Officer) of any and all security concerns relating to the IT Systems.
Users must immediately inform the IT Department of any other technical problems (including, but not limited to, hardware failures and software errors) which may occur on the IT Systems.
Any and all deliberate or negligent breaches of this Policy by Users will be handled as appropriate under the Company’s disciplinary procedures.
All software in use on the IT Systems (including, but not limited to, operating systems, individual software applications, and firmware) will be kept up-to-date and any and all relevant software updates, patches, fixes, and other intermediate releases will be applied at the sole discretion of the IT Department. This provision does not extend to upgrading software to new ‘major releases’ (e.g. from version 1.0 to version 2.0), only to updates within a particular major release (e.g. from version 1.0 to version 1.0.1 etc.). Unless a software update is available free of charge it will be classed as a major release, falling within the remit of new software procurement and outside the scope of this provision.
Where any security flaw is identified in any software that flaw will be either fixed immediately or the software may be withdrawn from the IT Systems until such time as the security flaw can be effectively remedied. If the security flaw affects, is likely to affect, or is suspected to affect any personal data, the Data Protection Officer shall be informed immediately.
No Users may install any software of their own, whether that software is supplied on physical media or whether it is downloaded, without the approval of the IT Manager. Any software belonging to Users must be approved by the IT Manager and may only be installed where that installation poses no security risk to the IT Systems and where the installation would not breach any licence agreements to which that software may be subject.
All software will be installed onto the IT Systems by the IT Department unless an individual User is given written permission to do so by the IT Manager. Such written permission must clearly state which software may be installed and onto which computer(s) or device(s) it may be installed.
Most IT Systems (including all computers and servers) will be protected with suitable anti-virus, firewall, and other suitable internet security software. All such software will be kept up-to-date with the latest software updates and definitions.
All IT Systems protected by anti-virus software will be subject to a full system scan at least Quarterly.
All physical media (e.g. USB memory sticks or disks of any kind) used by Users for transferring files must be virus-scanned before any files may be transferred. Such virus scans shall be performed automatically upon connection / insertion of media
Users shall be permitted to transfer files using cloud storage systems only with the approval of the IT Manager. All files downloaded from any cloud storage system must be scanned for viruses during the download process.
Any files being sent to third parties outside the Company, whether by email, on physical media, or by other means (e.g. shared cloud storage) must be scanned for viruses before being sent or as part of the sending process, as appropriate. [All email attachments are scanned automatically upon sending.]
Where any virus is detected by a User this must be reported immediately to the IT Department (this rule shall apply even where the anti-virus software automatically fixes the problem). The IT Department shall promptly take any and all necessary action to remedy the problem. In limited circumstances this may involve the temporary removal of the affected computer or device. Wherever possible a suitable replacement computer or device will be provided within 7 days to limit disruption to the User.
If any virus or other malware affects, is likely to affect, or is suspected to affect any personal data, in addition to the above, the issue must be reported immediately to the Data Protection Officer.
Where any User deliberately introduces any malicious software or virus to the IT Systems this will constitute a criminal offence under the Computer Misuse Act 1990 and will be handled as appropriate under the Company’s disciplinary procedures.
Wherever practical, IT Systems will be located in rooms which may be securely locked when not in use or, in appropriate cases, at all times whether in use or not (with authorised Users being granted access by means of a key, smart card, door code or similar). Where access to such locations is restricted, Users must not allow any unauthorised access to such locations for any reason.
All IT Systems not intended for normal use by Users (including, but not limited to, servers, networking equipment, and network infrastructure) shall be located, wherever possible and practical, in secured, climate-controlled rooms and/or in locked cabinets which may be accessed only by designated members of the IT Department.
No Users shall have access to any IT Systems not intended for normal use by Users (including such devices mentioned above) without the express permission of the IT Manager. Under normal circumstances, whenever a problem with such IT Systems is identified by a User, that problem must be reported to the IT Department. Under no circumstances should a User attempt to rectify any such problems without the express permission (and, in most cases, instruction and/or supervision) of the IT Manager.
All non-mobile devices (including, but not limited to, desktop computers, workstations, and monitors) shall, wherever possible and practical, be physically secured in place with a suitable locking mechanism. Where the design of the hardware allows, computer cases shall be locked to prevent tampering with or theft of internal components.
All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company should always be transported securely and handled with care. In circumstances where such mobile devices are to be left unattended, they should be placed inside a lockable case or other suitable container. Users should make all reasonable efforts to avoid such mobile devices from being left unattended at any location [other than their private homes or Company premises]. If any such mobile device is to be left in a vehicle it must be stored out of sight and, where possible, in a locked compartment.
The IT Department shall maintain a complete asset register of all IT Systems. All IT Systems shall be labelled, and the corresponding data shall be kept on the asset register.
Access privileges for all IT Systems shall be determined on the basis of Users’ levels of authority within the Company and the requirements of their job roles. Users shall not be granted access to any IT Systems or electronic data which are not reasonably required for the fulfilment of their job roles.
All IT Systems (and in particular mobile devices including, but not limited to, laptops, tablets, and smartphones) shall be protected with a secure password or passcode, or such other form of secure log-in system as the IT Department may deem appropriate and approve. Not all forms of biometric log-in are considered secure. Only those methods approved by the IT Department may be used.
All passwords must, where the software, computer, or device allows:
be at least 8 characters long;
contain a combination of Uppercase, lower case letters and at least one number;
be changed at least every 180 days;
be different from the previous password;
not be obvious or easily guessed (e.g. birthdays or other memorable dates, memorable names, events, or places etc.); and
be created by individual Users.
Passwords should be kept secret by each User. Under no circumstances should a User share their password with anyone, including the IT Manager and the IT Staff. No User will be legitimately asked for their password by anyone at any time and any such request should be refused. If a User has reason to believe that another individual has obtained their password, they should change their password immediately and report the suspected breach of security to the IT Department and, where personal data could be accessed by an unauthorised individual, the Data Protection Officer.
If a User forgets their password, this should be reported to the IT Department. The IT Department will take the necessary steps to restore the User’s access to the IT Systems which may include the issuing of a temporary password which may be fully or partially known to the member of the IT Staff responsible for resolving the issue. A new password must be set up by the User immediately upon the restoration of access to the IT Systems.
Users should not write down passwords if it is possible to remember them. If a User cannot remember a password, it should be stored securely (e.g. in a locked drawer or in a secure password database) and under no circumstances should passwords be left on display for others to see (e.g. by attaching a note to a computer display).
All IT Systems with displays and user input devices (e.g. mouse, keyboard, touchscreen etc.) shall be protected, where possible, with a password protected screensaver that will activate after 5 minutes of inactivity. This time period cannot be changed by Users and Users may not disable the screensaver. Activation of the screensaver will not interrupt or disrupt any other activities taking place on the computer (e.g. data processing).
All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company shall be set to lock, sleep, or similar, after 5 minutes of inactivity, requiring a password, passcode, or other form of log-in to unlock, wake, or similar. Users may not alter this time period.
Users may not use any software which may allow outside parties to access the IT Systems without the express consent of the IT Manager. Any such software must be reasonably required by the User for the performance of their job role and must be fully inspected and cleared by the IT Manager and, where such access renders personal data accessible by the outside party, the Data Protection Officer.
Users may connect their own devices (including, but not limited to, laptops, tablets, and smartphones) to the Company networks subject to the approval of the IT Department. Any and all instructions and requirements provided by the IT Department governing the use of Users’ own devices when connected to the Company network must be followed at all times. Users’ use of their own devices shall be subject to, and governed by, all relevant Company Policies (including, but not limited to, this Policy) while those devices are connected to the Company network or to any other part of the IT Systems. The IT Department shall reserve the right to request the immediate disconnection of any such devices without notice.
All data, and in particular personal data, should be stored securely using passwords and data encryption.
All data stored electronically on physical media, and in particular personal data, should be stored securely in a locked box, drawer, cabinet, or similar.
No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the Data Protection Officer and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary.
No data, and in particular personal data, should be transferred to any computer or device personally belonging to a User unless the User in question is a contractor or sub-contractor working on behalf of the Company and that User has agreed to comply fully with the Company’s Data Protection Policy and the GDPR.
All personal data (as defined in the GDPR) collected, held, and processed by the Company will be collected, held, and processed strictly in accordance with the principles of the GDPR, the provisions of the GDPR and the Company’s Data Protection Policy.
All Users handling data for and on behalf of the Company shall be subject to, and must comply with, the provisions of the Company’s Data Protection Policy at all times. In particular, the following shall apply:
All emails containing personal data must be encrypted.
All emails containing personal data must be marked “confidential”;
Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted under any circumstances;
Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
Personal data contained in the body of an email, whether sent or received, should be copied directly from the body of that email, and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted.
All personal data to be transferred physically, including that on removable electronic media, shall be transferred in a suitable container marked “confidential”.
Where any confidential or personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the User must lock the computer and screen before leaving it.
Any questions relating to data protection should be referred to the Data Protection Officer.
All Users shall be subject to, and must comply with, the provisions of the Company’s Communications, Email and Internet Policy when using the IT Systems.
Where provisions in this Policy require any additional steps to be taken to ensure IT security when using the internet or email over and above the requirements imposed by the Communications, Email and Internet Policy, Users must take such steps as required.
Reporting IT Security Breaches
Subject to paragraph 12.2, all concerns, questions, suspected breaches, or known breaches shall be referred immediately to the IT Department.
All concerns, questions, suspected breaches, or known breaches that involve personal data shall be referred immediately to the Data Protection Officer who shall handle the matter in accordance with the Company’s Data Protection Policy.
Upon receiving a question or notification of a breach, the IT Department shall, within 2 hours assess the issue including, but not limited to, the level of risk associated therewith, and shall take any and all such steps as the IT Department deems necessary to respond to the issue.
Under no circumstances should a User attempt to resolve an IT security breach on their own without first consulting the IT Department [(or the Data Protection Officer, as appropriate)]. Users may only attempt to resolve IT security breaches under the instruction of, and with the express permission of, the IT Department.
All IT security breaches, whether remedied by the IT Department or by a User under the IT Department’s direction, shall be fully documented.
The Company shall review this Policy not less than every 3 months and otherwise as required in order to ensure that it remains up-to-date and fit for purpose. All questions, concerns, and other feedback relating to this Policy should be communicated to the IT Manager, and/or the Data Protection Officer
This Policy shall be deemed effective as of 20th January 2020 No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
The statement sets down Suite Hub’s commitment to preventing slavery and human trafficking in our business activities and the steps we have put in place with the aim of ensuring that there is no slavery or human trafficking in our own business and supply chains. We all have a duty to be alert to risks, however small. Staff are expected to report their concerns and management to act upon them.
Organisational structure and supply chains
This statement covers the business activities of Suite Hub Limited which are as follows:
Suite Hub limited is a serviced accommodation booking agency, providing a simple booking service and a cloud-based booking management platform for serviced accommodation owned or directly operated by over 1000 suppliers globally. Suite Hub is an independent and privately-owned limited company that only works directly with property owners, operators and managers which results in short, transparent, low risk and highly accountable supply chain.
The Company currently operates in the following countries as detailed on its website https://www.suitehub.com/serviced-apartments
Responsibility for the Company’s anti-slavery initiatives is as follows:
Policies: the HR Manager is responsible for creating and reviewing policies. The process by which policies are developed is by looking at the best practice and adapting to the needs of the Company.
Risk assessments: the HR Manager is responsible for risk assessments in respect of human rights and modern slavery.
Due diligence: the HR Department is responsible for due diligence in relation to known or suspected instances of modern slavery and human trafficking.
To ensure a good understanding of the risks of modern slavery and human trafficking in our business and supply chains, the Company requires all staff to complete an online training course.
The Company is committed to ensuring that there is no modern slavery or human trafficking in our business or our supply chains. This Statement affirms its intention to act ethically in our business relationships.
The following policies set down our approach to the identification of modern slavery risks and steps to be taken to prevent slavery and human trafficking in our operations.
Whistleblowing policy. the Company encourages all its workers, customers and other business partners to report any concerns related to its direct activities or its supply chains.
Company Code of Conduct. The Code of Conduct sets down the actions and behaviour expected of employees when representing the Company.
Corporate Social Responsibility (CSR) Policy. The Company’s CSR policy summarises how we manage our environmental impacts and how we work responsibly with suppliers and local communities.
Due Diligence Processes for Slavery and Human Trafficking
The Company undertakes due diligence when considering taking on new suppliers, and regularly reviews its existing suppliers. The Company’s due diligence process includes building long-standing relationships with suppliers and making clear our expectations of business partners and evaluating the modern slavery and human trafficking risks of each new supplier and invoking sanctions against suppliers that fail to improve their performance in line with an action plan provided by us, including the termination of the business relationship.
The Company uses the following key performance indicators (KPIs) to measure how effective we are in ensuring slavery and human trafficking is not taking place in any part of our business or supply chains including requiring all relevant staff to have completed training on modern slavery.
This Modern Slavery and Human Trafficking Statement will be regularly reviewed and updated as necessary. The Managing Director endorses this policy statement and is fully committed to its implementation.
Effective and consistent recruitment practices are essential to ensure that all applicants are treated fairly and with equality of opportunity so that costly recruitment mistakes are avoided.
The recruitment process must result in the selection of the most suitable person for the job in respect of skills, experience and qualifications. To this end, the Company will recruit candidates who are most suited to the position in question and comply with its Equal Opportunities, Diversity and Inclusion Policy at all times. The nationality of the most suitable candidate will have no bearing on whether or not he/she is selected for the post, subject to the requirement to meet the resident labour market test where applicable and eligibility for sponsorship where necessary.
This Policy defines the principles that the Company considers important in the recruitment process and aims to ensure that consistency and good practice is applied across the Company.
Equal Opportunity and Diversity in Recruitment
It is against the Company’s Equal Opportunities, Diversity and Inclusion Policy to discriminate either directly or indirectly on the grounds of race, nationality, ethnic origin, gender, marital status, pregnancy, age, disability, sexual orientation, ethnicity, cultural or religious beliefs. Reasonable adjustments to the recruitment process will be made to ensure that no applicant is disadvantaged because of his/her disability.
All employees are required to comply with the requirements of the Equal Opportunities, Diversity and Inclusion Policy at every stage of the recruitment process including production of job descriptions, advertising material, instructions given to recruitment agencies, shortlisting of applications, interviewing, selection decisions and offers of employment.
All policies and procedures reflect our commitment to achieving and maintaining equal opportunities within the workplace. It is the responsibility of every employee to monitor continually and evaluate formal and informal practices and procedures to ensure that they do not directly or indirectly discriminate against any individual or group of society.
The Company will treat all job applicants in the same way at each stage of the recruitment process, and no assumptions will be made on the basis of, for example, appearance or a foreign name. There will be no assumption that a foreign national or someone from an ethnic minority has no right to work in the UK.
Any employee who is found to be discriminating in any way during the recruitment process will be subject to the disciplinary procedure and may be liable to dismissal.
Monitoring Equal Opportunities, Diversity and Inclusion in Recruitment
In order for us to monitor the effectiveness of the Recruitment and Equal Opportunities, Diversity and Inclusion Policy it is necessary that all candidates complete the Equal Opportunities, Diversity and Inclusion Monitoring Form. Any data which is collected regarding gender and ethnic origins will be collected solely for the purpose of monitoring equal opportunity and will be held confidentially by the Company and protected from misuse.
Any vacancy must be authorised by the Managing director before any attempt is made to fill the role. In making the request to the Managing Director consideration should be given to whether the role could be absorbed amongst the rest of the team or elsewhere in the Company.
Once authorisation has been obtained, the person/manager recruiting must produce a job description for the vacancy which provides a fair and accurate representation of the role and follows the format which is laid out in the Job Description Form. The job description will include a clearly drafted person specification.
The job description will describe the duties, responsibilities and seniority of the post and the person specification will describe the qualifications, knowledge, experience, skills and competencies needed for the role to be carried out effectively.
The Job Description Form should be given to all candidates prior to interview to enable them to prepare adequately for the interview.
Particular care must be taken when producing job descriptions to ensure that unreasonable requirements are not placed on the job holder which cannot be objectively justified and may unfairly disadvantage certain groups e.g. women, ethnic minorities or disabled persons.
Job Descriptions and Person Specifications
Once authorisation has been obtained, the person/manager recruiting must produce a job description for the vacancy which provides a fair and accurate representation of the role and follows the format which is laid out in the Job Description Form. The job description will include a clearly drafted person specification.
The job description will describe the duties, responsibilities and seniority of the post and the person specification will describe the qualifications, knowledge, experience, skills and competencies needed for the role to be carried out effectively.
The Job Description Form should be given to all candidates prior to interview to enable them to prepare adequately for the interview which will improve the success of the interviewing process.
Particular care must be taken when producing job descriptions to ensure that unreasonable requirements are not placed on the job holder which cannot be objectively justified and may unfairly disadvantage certain groups e.g. women, ethnic minorities, elderly or disabled persons.
All vacancies must be advertised within the Company to all members of staff prior to external methods of recruitment being used. Wherever possible internal candidates will be considered in preference to external candidates and reasonable training and coaching will be provided to enable employees to achieve career advancement. Where it has not been possible to recruit within the Company, then external methods of recruitment may be considered. These may include approaching approved employment agencies or advertising on job boards.
Where the job is to be advertised, the proposed advertisement must be submitted to the HR department for approval. An advertisement must not show any intention to discriminate unlawfully.
In order to shortlist candidates for interviews, the Company will:
Identify specific job-related criteria using the job description;
Match these criteria with those detailed in the candidate’s CV; and
Use this information to select which candidates will be invited for interview.
Candidates who apply for positions with the Company, whether through a direct advertisement or a recruitment agency, will always be informed of the outcome of their application as quickly as possible. Where candidates have applied to the Company directly, they will be informed of the outcome in writing.
The interview will focus on the needs of the job and skills needed to perform it effectively in accordance with the guidance and procedures set down in the Company’s Interview Guidance Notes.
Managers conducting recruitment interviews will ensure that the questions that they ask job applicants are not in any way discriminatory or unnecessarily intrusive. A record of every recruitment interview will be made and passed to the HR department to be retained for a suitable period of time.
Once the most appropriate candidate has been selected, this appointment needs to be approved by the HR Manager and the terms and condition of the offer of employment must be confirmed by the Managing Director
In setting a starting salary, the Company must bear in mind the salary of existing employees in a similar role in order to ensure that inconsistencies are not created within the Company which could be challenged under the Equality Act 2010.
An offer should be made verbally to the candidate and, once agreed, a contract of employment must be raised and sent out with the offer letter.
The Company will comply with the requirements of the Home Office’s points-based system for the employment of foreign workers. Where a worker is to be recruited who is subject to immigration control, it is the responsibility of the HR Manager to ensure that the post in question comes within one of the tiers of the system and will comply with the requirements of that tier.
In the event that a post is eligible for sponsorship under tier 2 (general) or certain tier 5 sub-categories, the Company will carry out a recruitment search before appointing an overseas national.
In respect of tier 2 skilled workers and some tier 5 temporary workers who are to be recruited into the organisation, the Company will apply for a sponsor license to enable it to issue a certificate of sponsorship to relevant workers and will comply with all its obligations in this regard.]
All employment offers are conditional upon receipt of 3 professional references which are satisfactory to the Company. The referees should usually be the applicant’s current and previous employers although, in the case of a college or school leaver, a college tutor or teacher will be acceptable.
Details of referees will usually be sought from an applicant once an offer of employment is made and referees will not be approached without the applicant’s permission.
However, for senior positions the Company may require the applicant to provide details of referees prior to an offer of employment being made. With the applicant’s consent, the referees will be approached, and the responses received will form part of the selection decision.
References will usually be sought in writing and require that a standard reference form be completed. Details may be checked or clarified by telephone where necessary. If a response to a written request for a reference has not been received, then the Company will telephone the referee been and may seek an oral reference instead.
If references which are satisfactory to the Company are not received within a reasonable timescale then it may be necessary to withdraw the offer of employment.
When recruiting for posts that may be vulnerable to bribery risks (such as roles in Purchasing, Marketing or Distribution), and subject to the requirements of the Rehabilitation of Offenders Act 1974, the Company may need to carry out additional checks during the recruitment process.
These checks may include carrying out criminal record, bankruptcy and credit reference checks and/or taking up additional references.
All applicants are required to provide evidence of qualifications either in the form of original certificates, which will be copied and then returned or photocopies. Confirmation will be sought from the relevant Examination Board if certificates cannot be produced.
The employment offer will be conditional upon valid evidence of qualification and the offer may be withdrawn if this is not supplied within a reasonable timescale.
If an applicant falsifies certificates or evidence of qualifications and this subsequently comes to the attention of the Company at any stage during employment, then the individual will be subject to disciplinary action and may be liable to dismissal.
Work Permits and Illegal Working
It is against the law to employ a person who does not have permission to live and work in the UK. The Company could be prosecuted and fined under the Immigration and Asylum Act 1999 for employing somebody who does not have permission to work in the UK. The Company will not employ an individual unless he or she has a legal right to work in the UK.
All offers of employment will be subject to the successful candidate providing the required original documents showing evidence of his or her right to work in the UK (on an ongoing or restricted basis). The HR Manager will check the necessary documents during the recruitment process. All successful candidates will be required to provide evidence of one original piece of documentation from the list below once an offer of employment is made:
A document giving the person’s National Insurance number and name. This could be a P45, a National Insurance card or a letter from a government agency;
A document showing that the person can stay indefinitely in the UK or that they have no restriction preventing them from taking employment. This may be an endorsement in a passport or Home Office Letter;
A work permit or other approval to take employment from the Department for Education and Employment;
A document showing that they are a UK Citizen or have right of abode in the UK. This may be an endorsement in a passport, a birth certificate, a registration or naturalisation document or a letter from the Home Office;
A document showing that they are a national of a European Economic Area country. This may be a passport or national identity card: or
A document confirming registration with the Worker Registration Scheme.
In order to avoid discrimination, it is essential that the same criteria are applied to every person who is offered employment with the Company, regardless of their race, nationality or ethnic or national origins.
If an applicant is not able to produce one of the listed documents, then they will be advised to contact the Citizens Advice Bureau for further advice and their employment will be put on hold until evidence can be produced and the offer may be withdrawn.
In the event that an individual has time-limited permission to live and work in the UK he or she must provide evidence of his or her renewed right to live and work in the UK at the expiry of the current permission.
If it becomes evident to the Company during the course of an employee’s employment that he or she does not have the right to work in the UK, the Company will, following an investigation into the circumstances and having established that the employee does not have the right to work in the UK, terminate the employee’s contract of employment.
If a line manager becomes concerned that an employee in his or her team or department is working in the UK illegally, he or she should report the matter to the HR Manager, giving reasons for the concern. The HR Manager will investigate the matter further.
Personnel Records & Starter Procedures
Personnel records are held by the HR Manager. A file containing paper records is held for each employee and will include:
Contract of Employment;
Personal information – New Starter Form;
Next of kin;
Ethnic origin;
Home address;
Copy of Birth certificate (or similar proof of right to work);
Copy of marriage certificate if appropriate;
Copy of all qualifications;
Changes to terms and conditions;
Absence records;
Current Disciplinary details;
Records of any Training undertaken; and
Records of Objectives and Performance Appraisals.
These records are held in a secure environment, only accessible to the HR Manager. Electronic records may also be held by the HR Manager. This enables information gathering and quick access to employee records. Our accountants/payroll bureau also have/has limited access to enable them to run payroll and pay expenses. Employees will be asked annually to confirm the information we hold on them is correct.
Any applicants who consider that they have been unfairly treated or discriminated against during the recruitment process should write to the HR Manager stating the grounds of the complaint. Any employee who wishes to complain about his/her experience of the recruitment process should do so by means of the Grievance Procedure.
