The Winchester Royal Hotel understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our customers and will only collect and use personal data in ways that are described here, and in a way, that is consistent with our obligations and your rights under the law.
1. Information About Us
The Winchester Royal Hotel (St. James’s Hotel (Winchester) Limited is a Limited Company registered in England under company number 08904792) has a trading Address: The Winchester Royal Hotel, St Peter Street, Winchester Hampshire, SO23 8BS.
The Hotel is part of a Hotel group St James’s Hotel Group Limited is a Limited Company registered in England under company number 08898826 operating Hotels and Hospitality Management Services and St James’s Hotel Management Limited is a Limited Company registered in England under company number 08898743 operating Hotels and Hospitality Management Services. Their trading address is: Chapel Court, 2 Holly Walk, Leamington, CV32 4YS.
Data Protection Officer: Data Compliance Manager
Email address: GDPR.firstname.lastname@example.org
Telephone number: 01295 222910.
Postal Address: Chapel Court, 2 Holly Walk, Leamington, CV32 4YS
2. What Does This Notice Cover?
This Privacy Information explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
3. What is Personal Data?
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that we use is set out in Part 5, below.
4. What Are My Rights?
Under the GDPR, you have the following rights, which we will always work to uphold:
a) The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 11.
b) The right to access the personal data we hold about you. Part 10 will tell you how to do this.
c) The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 11 to find out more.
d) The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Part 11 to find out more.
e) The right to restrict (i.e. prevent) the processing of your personal data.
f) The right to object to us using your personal data for a particular purpose or purposes.
g) The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
h) Rights relating to automated decision-making and profiling. Part 6 explains more about how we use your personal data, including automated decision-making and or profiling.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 11.
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
5. What Personal Data Do You Collect?
In running and operating our business, we may collect and process certain data and information relating to you and our use of our website. This may occur when you visit our website, correspond with us such electronically email or by post and when you visit or stay at our hotels. Your privacy is important to us and we confirm that we will never release your personal details to any third party for their mailing or marketing purposes without your prior consent. We may collect some or all of the following personal data (this may vary according to your relationship with us):
• Full or partial contact details including names and addresses (including business details if you are making a corporate booking), telephone and email details.
• If you have special requirements, then it may also be necessary to collect details about diet or disability or any other preferences that you may have.
• Car parking arrangements at our hotels and restaurants may also make it necessary for us to collect your car registration number for your visit to us.
• If you make a purchase from us, your card information is not held by us, it is collected by our third-party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions, as explained below.
• We collect payment card information from you should you choose to use this form of payment for purchasing or guaranteeing use of our products and services. You may choose to store this information with us when booking online, for the purpose of making your future St. James’s Hotel bookings more quickly, via SecureTrading ™ our secure online PCI DSS accredited facility.
• We may monitor and record CCTV (in public areas) communications with you (such as telephone conversations and emails) for the purpose of quality assurance, training, fraud and crime prevention as well as compliance).
• If you choose to connect with us via social media links, for example such as Facebook, LinkedIn, Pinterest, or Twitter, (for further details see Appendices II) we may collect your user name, your name (including surname) and email address, your gender, and your location. We may also collect your birthdate and other significant dates for making special offers to you around your birthday and other anniversaries.
• From our overseas guests we may also collect passport details.
• If you provide us with any personal data relating to any third party (e.g. information about your spouse, children, employees or colleagues) for particular purposes, by submitting such information to us, you warrant and represent to us that you have obtained the consent of such third party to provide us with their personal data for the respective purposes.
6. How Do You Use My Personal Data?
Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data will be used for:
We process the personal information you have provided to us for the purposes of:
• dealing with your requests;
• providing reservation services;
• to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
• to notify you about changes to our service;
• to ensure that content from our Websites is presented in the most effective manner for you and for your computer;
• tailoring our services to your requirements and preferences; and
• prospective employment enquiries and applications (via Harri)
• conducting market research surveys and providing you with information about products and services we offer (where you have provided us with your consent to do so).
• Health and Safety and Incident records which may be shared with our Insurers and other third parties including statutory authorities.
• We process personal information we have collected about you for the purposes of:
o administering our Websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
o improving our Websites to ensure that content is presented in the most effective manner for you and for your computer;
o allowing you to participate in interactive features of our service, when you choose to do so;
o our efforts to keep our Websites safe and secure;
o measuring or understanding the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and
o making suggestions and recommendations to you and other users of our Site about goods or services that may interest you or them.
o Where we have received personal information from other sources, we may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive.
• With your permission and/or where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email and or telephone and or text message and or post with information, news, and offers on our products services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.
We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. This automated processing is intended to evaluate certain personal aspects of an individual. We may also use your personal information to detect and reduce fraud and credit risk.
• To enable certain feature and functions on group websites (e.g. remembering your user-id, browsing and other product and/ or service preferences);
• To identify the causes of problems arising at web servers and to resolve these problems or improve efficiency of group websites.
• To improve the contents of group websites and emails from us;
• To customise the contents of group websites and emails from us to suit your individual interests or preferences;
• To utilise your browsing history on group websites and the results of questionnaires for market research or marketing, including sending you advertisements via group websites;
• To obtain aggregated group website usage and visitation statistics;
• To administer services to you; and for purposes which are reasonably related to the aforesaid.
• Details of cookies which we use provided in Appendices II. If you do not know what Cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org or http://www.youronlinechoices.com for detailed guidance. If you are not happy, then you should either not use our sites, or you should delete Cookies having visited the site, or you should browse the site using your browser’s anonymous usage setting (called “Incognito” in Chrome, “InPrivate” in Internet Explorer, “Private Browsing” in Firefox and Safari etc).
• Phishing is the practice of tricking someone into giving confidential information. Examples include falsely claiming to be a legitimate company when sending an e-mail to a user, in an attempt to get the user to send private information that will be used for identity theft and fraud.
• We will never ask you to confirm any account or credit card details via email. If you receive an email claiming to be from any St. James’s Hotel asking you to do so, please ignore it and do not respond. You can contact our Data Compliance Manager to report it or if you are unsure.
• Our guest Wi-Fi service is provided contracted trusted third party. If you choose to use the service to access web sites or content provided by third parties or purchase products from third parties, then your personal information may be available to the third-party provider. The way third parties handle and use your personal information related to the use of their services is governed by their policies. St. James’s Hotels Group Limited and its Subsidiaries have no responsibility for their policies, or third parties' compliance with them. Our guest wireless/wired systems use radio channels or local area networks to transmit voice and data communication information; privacy therefore cannot be guaranteed, and St. James’s Hotels Group Limited and its Subsidiaries shall not be liable to you for any lack of privacy you experience while using the service.
• Whilst we take reasonable, appropriate technical and organisational measures to safeguard the personal data that you provide to us, no transmission over the internet can ever be totally guaranteed secure. Consequently, please be aware that we cannot guarantee the complete security of any personal data that you transfer over the internet to us whilst in transit. Sending such information is entirely at your own risk.
• We advise that you follow general internet security guidelines:
o Always log out and close the website browser when you complete an online session, especially if you are using a computer or terminal in a public location.
o Keep your online account passwords private. Our online accounts are intended for single guest use and link information provided to your guest record.
o When creating a password, use at least 8 characters. A combination of letters and numbers is best. Dictionary words, your name, email address, or other personal data that can be easily obtained are best avoided for passwords.
o Avoid using the same password for multiple online accounts.
7. How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept in accordance with St. James’s Hotel Group Retention Policy.
Should you choose to unsubscribe from our mailing lists, please note that your personal data may still be retained on our database to the extent permitted by law.
8. How and Where Do You Store or Transfer My Personal Data?
We may store or transfer some or all of your personal data in countries that are not part of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). These are known as “third countries” and may not have data protection laws that are as strong as those in the UK and/or the EEA. This means that we will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR as follows.
We share your data within the group of companies of which we are a part. Where this involves the transfer of personal data outside the EEA, our group ensures that personal data is protected by requiring all companies within the group to follow the same rules with respect to personal data usage. These are known as “binding corporate rules”. More information on binding corporate rules is available from the European Commission.
9. Do You Share My Personal Data?
We may share your personal data with other companies in our group who share a central reservation and data processing systems. This includes subsidiaries and/or our holding company and its subsidiaries.
We may sometimes contract with the following third parties to supply products and or services to you on our behalf. These may include corresponding with you on our behalf, assisting us in the management functions or our business. The processing of data, payments, delivery, and marketing. In some cases, those third parties may require access to some or all of your personal data that we hold.
If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above in Part 8.
If any personal data is transferred outside of the EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR, as explained above in Part 8.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority
10. Links to other websites
In addition, if you were referred to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the policy of that third-party site.
11. How Can I Access My Personal Data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 12. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within 28 Days and, in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
12. How Do I Contact You?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details (for the attention of Data Controller:
Email address: GDPR.email@example.com.
Telephone number: 01295 222910.
Postal Address: RequestSAR, St. James’s Hotel Group Ltd, Chapel Court, 2 Holly Walk, Leamington, CV32 4YS.
13. Opt Out
You have a choice about whether or not you wish to receive information from us. We will not make contact with you unless you have opted in. If then, you no longer want to receive direct marketing communications from us about the hotels and our favourite local areas, then you can change your preferences or completely unsubscribe in one of two ways:
• Click the ‘unsubscribe’ or ‘change preferences’ link at the bottom of marketing emails sent to you
• Email GDPR.firstname.lastname@example.org or telephone 01295 222910 and we will process your request within 28 days
We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted.
14. Business Transfer
In the event that our business is transferred, sold or integrated with another business, your details may be disclosed to our advisers and any prospective purchaser’s advisers and may be passed to the new owners of the business.
15. Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
Any changes will be made available via our website sjhotels.co.uk. Following any changes, the new version of the policy will be uploaded to the websites and the old versions removed. Please check our website frequently to see any updates.
We use analytics Cookies to find out more about how you use our website – like the pages you visit, the searches you make and your preferences in order to improve the user experience. All user data is anonymous. You can find out more about Google’s position on privacy as regards its analytics service at;
Internet Booking Engine
Our sites use a third-party Internet Booking Engine (IBE) to take your hotel reservations. The system we use (Rezlynx) is provided by Guestline Limited. Details of Guestline's policies can be found at;
We use Guest Revu, a third party company used by the us to obtain guest feedback. We see feedback as a vital part of “legitimate business” for hotels and their guests, to measure and monitor the standards and satisfaction levels of a provided service. Guest Feedback is a specific process that gives each and every guest a chance to comment on whether they have received good service for a particular event or stay, or enjoyed a good experience. It’s done for the guests’ benefit, to meet their needs and expectations, to measure and improve their experience, and in order to maintain standards and service levels for guests.
The link to Harri enables Applicants to register their interest in the job vacancies we may have from time to time. Further details can be obtained at;
At the Winchester Royal Hotel, we use a third-party event and banqueting enquiry, booking, and management system operated and supported by Event 500. Data in relation to enquires and bookings is stored on their server systems.
Our hotel Wi-Fi systems is provided by Siemlus. This company use Location Based Services (LBS) to understand traffic patterns in venues. The location data we capture helps us to understand usage and to, enhance operational efficiency and improving the user experience.
Other websites which we have widget links to include;