Your privacy is important to us
The purpose of this policy is to explain clearly how we collect and use the personal data you provide to us and that we collect. We ensure that we use your information in accordance with all applicable laws concerning the protection of your personal data.
If you have any queries about this policy or your personal data please contact:
Data Protection Officer
Edinburgh World Heritage
5 Bakehouse Close
Edinburgh EH8 8DD
+44 (0) 131 220 7720
We collect your contact information such as full name, company name, email address, postal address and telephone number when you email or call us with an enquiry.
We may also collect your details from publicly available sources such as LinkedIn in order to send you information about our services.
In addition to the above, we collect information automatically about your visit to our website. Please see our Cookies page for more details.
The personal data we collect will be used for the following purposes:
- Dealing with enquiries and requests about our services submitted to us via email or call
- Sending you information about our services which are applicable to you in your role
- Requesting information about your services which are applicable to you, your company, our company and our clients
- Dealing with enquiries and requests about recruitment and vacancies
Our legal basis for processing of your personal data is:
- Processing is necessary to meet contractual obligations entered into by you
- Processing is necessary for purposes of our legitimate interests in relation to goods and services that you use in your role
The legitimate interest pursued by us are as follows:
- In response to an enquiry from you about our good and services and recruitment
- For the purpose of promoting our goods and service via direct marketing which are relevant to you in your role. We will always confirm how your personal data was obtained and always offer an opt out of direct marketing communications
Enquiring about your goods and services which are applicable to our company or our clients.
How we protect your information
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal or transactional information stored on our website and systems.
The security measures we’ve put in place include:
- The encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
We believe in being open, honest and transparent with our clients and suppliers and want you to feel comfortable about your decision to give us your personal data and how we use it.
We will use the details you provide to us to communicate with you about how we can help you in your role and help your company achieve its objectives.
We promise that we will only communicate with you in the way you wish us to and we will always respect your privacy. You can change your mind at any time and it’s quick and easy to let us know that you no longer want to hear from us by contacting the Data Protection Officer.
In certain instances, we collect and use your personal data by relying on the legitimate interest legal basis. This is because when you, for example, request to receive services or products from us, we have a legitimate organisational interest to use your personal data to respond to you and there is no overriding prejudice to you by using your personal data for this purpose.
- We will only communicate to you in the way you have told us. For example:
If you actively provide your consent to us along with your email address and/or mobile phone number, we may contact you for marketing purposes by email or phone call. By subscribing to Edinburgh World Heritage emails or opting into email communication from Edinburgh World Heritage, you grant us the right to use the email for email marketing.
If you have provided us with your postal address or telephone number we may send you direct mail or telephone you about our work unless you have told us that you would prefer not to receive such information.
You can also change any of your contact preferences at any time, including telling us that you don’t want us to contact you for marketing purposes or relevant media opportunities by contacting the Data Protection Officer.
We will never pass your personal data on to other organisations for them to use for their own marketing purposes.
However, we may disclose your personal data in the following circumstances:
To third parties who provide a service to us. These are mailing houses, couriers, email services providers and data processors. We require these third parties to comply strictly with our written instructions and data protection laws and we make sure that appropriate controls are in place. We enter into contracts with all our third parties and regularly monitor their activities to ensure they are complying with our policies and procedures.
Where we are under duty to disclose your personal data in order to comply with law or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation or we have your written consent.
Keeping your personal data
We keep your personal data for up to 6 years and 1 month after the creation date to operate the service in accordance with legal requirements and tax and accounting rules. Where your information is no longer required or is no longer relevant, we will ensure it is disposed of in a secure manner.
1. The right to access your personal data
You have a right to obtain confirmation that your personal data is being processed. You also have the right to request a copy of your personal data we hold.
We will provide a copy of your personal data within 30 days of receiving the written request. Should you wish to exercise these rights we require you to prove your identity with two pieces of approved identification (photo ID and proof of address such as utility bill). Please address requests to the Data Protection Officer.
Please contact us directly with all the requested information to help us locate your records.
We will respond within 28 days of your request.
2. The right to rectify and update your personal data
The accuracy of your personal data is important to us. You can rectify/update your personal data, including your address and contact details at any time. Please address requests to the Data Protection Officer.
Please provide as much information as possible about your request. We will investigate and confirm our decision within 28 days of the request.
3. The right to request to have your personal data erased
You have the right to request your personal data be erased. This is not an absolute right and we will review these on a case by case basis.
Should you wish to exercise these rights please address requests to the Data Protection Officer.
Please provide your reason for your request. We will consider this and advise you of our decision within 28 days of the request.
4. The right to restrict processing of your personal data
You have the right to ‘block’ or suppress processing of your personal data. However, we will retain just enough of your personal data to ensure that the restriction is respected in the future.
Should you wish to exercise these rights please address requests to the Data Protection Officer.
Please provide your reasons for us to restrict processing of your personal data. We will consider your request and respond with our decision within 28 days.
5. The right to object
You have the right to object to your personal data being processed, for marketing and for research purposes. From the very first communication from us and every marketing communication we send afterwards you will have the right to object to marketing.
Alternatively, you can exercise this right by contacting the Data Protection Officer.
Edinburgh World Heritage will action your request within 28 days of receiving it.
6. Your right to lodge a complaint with a supervisory authority
If you wish to lodge a complaint or seek advice from a supervisory authority please contact the Information Commissioner’s Office (ICO).
The ICO is the UK’s independent body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO can be contacted at:
The Office of the Information Commissioner
Wycliffe House Water Lane
Tel: +44 (0) 01625 545 745
Given that the Internet is a global environment, using it to collect and process personal data necessarily involves the transmission of data on an international basis. This means for instance that data you pass to us may be processed outside the European Economic Area, although the data will always be held securely and in line with the requirements of UK data protection legislation. By communicating electronically with us, you acknowledge and agree to our processing of personal data in this way.
A cookie is a small piece of information sent by a web server to a web browser, which enables the server to collect information from the browser.
Find out more about cookies on www.allaboutcookies.org.
Most browsers will allow you to turn off cookies. If you want to know how to do this, please look at the menu on your browser or the instruction on www.allaboutcookies.org. Please note however that turning off cookies will restrict your use of our website.
These cookies allow us to count visits and traffic sources to measure and improve our site’s performance. They help us to know which pages are the most and least popular and see how visitors move around the site.
We use Google Analytics to provide this service, which uses first party cookies. The data collected is not shared with any other party.
We also use Google Analytics to record how the site is performing through analysing visitor statistics. You can opt out of being tracked by Google Analytics using the Opt Out Browser Add-On from Google.
If you have used a Do Not Track browser setting, we take this as a sign that you do not want to allow these cookies, and they will be blocked.
If you would like to know more about the topic above, please contact us directly.