Duke’s Court Travel Ltd.

 

Privacy Policy

 

Effective Date: May 25th, 2018

 

Controller Details: Duke’s Court Travel Ltd. (“DCT”) is established in the EU and the controller of personal data collected regarding individuals located in the European Economic Area (“EEA Individuals,” “you,” or “your”) through the www.DCTFlights.co.uk website (the “Website”), including both the desktop and mobile web version, and our contact centers. This Privacy Policy describes our general privacy and security practices in connection with your personal data. Throughout your Website experience or when speaking with a contact center agent, you will also receive ‘just-in-time’ notifications at the time personal data is obtained for particular processing activities (such as when requesting a quote).

 

Except as otherwise defined in this Privacy Policy, all terms shall have the same meaning set forth in the European Union General Data Protection Regulation (EU) 2016/679 (the “GDPR”).

 

Purposes of Processing: When EEA Individuals inquire about our travel services and products (collectively, the “Services”), including by conducting searches, through the Website (including desktop and mobile web versions) or inquire/purchase such Services through our contact centers, DCT will process EEA Individuals’ personal data for the following purposes:

 

  • Provide the Services that you have requested (e.g., flight booking, hotel stays, car rentals, provision of ancillary products and services), including generating your PNR and transfer of such PNR and other personal data to other travel suppliers or service providers as needed for travel arrangements or payment processing/refunding;
  • Fraud detection and prevention;
  • Respond to customer inquiries and provide support (e.g., outbound phone calls from contact centers when you request a quote, responding to Contact Us inquiries); and
  • Email marketing when you become a DCT customer or sign up for our newsletter.

 

Legal Basis of Processing: DCT processes EEA Individuals’ personal data (1) in the case of providing travel services and fraud detection and prevention, as necessary for the performance of a contract to which such EEA Individual is a party or in order to take steps at the request of such EEA Individual prior to entering into a contract, (2) in the case of responding to customer inquiries/providing support, DCT’s legitimate interest in providing such services since EEA Individuals expect customer support for their travel plans. However, your consent shall be obtained before receiving phone calls from our contact centers when submitting a quote or support request online, and (3) your consent when signing up for our newsletter or email marketing generally, unless you have become a DCT customer in which case we send email marketing messages pursuant to our legitimate interest in providing other great deals for existing customers. EEA Individuals can opt-out of email direct marketing at any time by clicking ‘Unsubscribe’ at the bottom of any email.

 

Phone Support: As stated above, we ask your consent before submitting a request for a quote or otherwise contacting us through the Contact Us form. However, Services can only be purchased over the phone at DCT, and phone calls are necessary for provision of the Services. If you do not want to receive phone calls, please do not contact DCT through the Website forms.

 

Consequences of Not Providing Necessary Information: As stated above, DCT relies on the “necessary for performance of a contract” legal basis for provision of Services you have purchased. Failure to provide the mandatory information requested by our contact center will result in not being able to make such purchase. Further, to the extent such information is inaccurate, please correct it immediately (including by contacting DCT customer support) in order to ensure that the validity of your purchase is not affected.

 

Services can only be purchased over the phone and thus phone support is necessary for provision of, and support for, the Services. If you do not want to receive phone calls, please do not contact DCT,

 

PNR Data: A Passenger Name Record (PNR) is the record of your itinerary that is generated after booking through our contact center; it is the primary information submitted by you in order to enjoy our core services. This information is provided by you during the ordering process and passed on to the relevant supplier, such as airline or hotel, in order to enable your reservation. This information includes, as relevant, name, telephone number, email address, mobile number, date of birth, gender, age, payment details, co-traveler details, certain passport details, and itinerary.

 

Data Storage: DCT stores EEA Individuals’ personal data within its U.K.-based data center.

 

Data Transfer: DCT may need to transfer your personal data to various non-EEA based travel suppliers specifically for the purpose of fulfilling the Services you have purchased. Such transfers will be based on the following derogations in GDPR Article 49, as applicable: (i) for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request (Article 49)(1)(b)); and/or (ii) for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (Article 49)(1)(c)).

 

Categories of Recipients: Given the nature of the travel business, DCT will transfer EEA Individuals’ personal data to the following categories of recipients (with examples) located worldwide when fulfilling bookings or other travel services purchased through our contact centers:

 

Airlines: American Airlines, United Airlines, Delta Airlines, Southwest Airlines

GDS: Amadeus, Sabre

Flight Aggregators: Travelfusion, Pyton, Mystifly, Kiwi, PKFARE

Flight Consolidators: CheapOair, DCT India PVT, DCT Europe LTD

Hotel Aggregators: Hotelbeds Group (HBG), Tourico, GTA, Expedia Affiliate Network, Booking.com, Getaroom

Car Rentals: Enterprise Holdings, AutoEurope,

Credit Card Payment Processors: Chase, Bank of America, American Express, PayPal

Other: Mozio (transfers), CIBT (visa passport services), Viator (activities/tours), Park ‘N Fly (parking), Wayblazer (content personalization)

 

Retention: We will retain your Personal Information for the periods outlined in our retention policy, unless a longer retention period is required by law (including the establishment, defense, or exercise of potential legal claims). Our data retention policy, including retention of sales data, can be found here.

 

Information Security: DCT has a legitimate interest in ensuring cyber security and detecting possible criminal acts or threats to public security (including to prevent unauthorized access to networks and stopping damage to computers and systems), and employs a variety of technical and organizational measures to do so, which requires processing certain data to fulfill such purposes.

 

Our web servers will also log your requesting IP address, the page requested, request time, referrer information, what URL you came from, browser information, and the status of the request (for example, if a page does not exist, a 404 error code will be returned). Such information is used to help maintain the Website, ensure that our services are available, and prevent malicious or otherwise harmful attacks to our back-end systems.

Governmental Access Requests: DCT may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

 

Corporate Restructuring:  In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this Privacy Policy. This Privacy Policy shall be binding upon DCT and its legal successors in interest.

 

Your Rights: Natural persons have a right to: (i) request access to, correction and/or erasure of their personal data; (ii) object to processing of their personal data; (iii) restrict processing of their personal data; and (iv) request a copy of their personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. These rights may be exercised by contacting Privacy@dukescourttravel.com .

 

Objecting to Legitimate Interest/Direct Marketing: Natural persons may object to personal data processed pursuant to DCT’s legitimate interest. In such case, DCT will no longer process their personal data unless DCT demonstrates appropriate overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. Natural persons also may object at any time to processing of their personal data for direct marketing purposes. In such case, their personal data shall no longer be used for that purpose. In cases of direct marketing, natural persons often will be able to fulfill such rights directly via an ‘Unsubscribe’ link, but may always reach out to Privacy@dukescourttravel.com or our address given below.

 

Please note that if you opt-out of receiving direct marketing from us, we may still send you important administrative messages via email, from which you cannot opt out (unless an applicable retention schedule or right to erasure request requires deletion of such email address).

 

Right to Lodge a Complaint: In accordance with GDPR Article 77, natural persons also have the right to lodge a complaint about DCT’s processing of their personal data with a competent supervisory authority, in particular in the member state of their habitual residence or place of work, or where an alleged GDPR infringement took place, as applicable.

 

Further, as applicable, natural persons may exercise their third-party beneficiary rights under DCT’s Standard Contractual Clauses.

 

Use of Our Services by Minors: DCT’s services are not directed to individuals under the age of eighteen (18), and we request that they not provide personal data to DCT through any means.

 

Updates to this Privacy Policy: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately (either within this Privacy Policy or elsewhere), and the “Effective Date” at the top of this page will be updated accordingly.

 

Contacting Us: If you have any questions regarding our privacy practices, please contact us via email at Privacy@dukescourttravel.com or write to us at:
Duke’s Court Travel
Mill House, 216 Chiswick High Rd
London W4 1PD
Attn: Customer Service/Privacy

 

Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.