GDPR Compliance Policy

Last updated: 3 March 2026

    Hale Technology Limited, trading as Campsites UK, is committed to ensuring full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines our approach to data protection and the measures we have implemented to safeguard the personal data of our users, customers, park owners, employees, and partners.
  

1. Scope

This policy applies to all personal data processed by our organisation, regardless of the format in which it is held (digital, paper, or otherwise). It applies to all employees, contractors, partners, and third-party service providers who process personal data on our behalf, as well as park owners who receive guest data through our booking platform.

2. Data Protection Principles

We adhere to the seven key principles of data protection as set out in Article 5 of the UK GDPR:

Lawfulness, Fairness, and Transparency — Personal data is processed lawfully, fairly, and in a transparent manner.
Purpose Limitation — Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation — Personal data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Accuracy — Personal data is accurate and, where necessary, kept up to date. Reasonable steps are taken to ensure inaccurate data is rectified or erased without delay.
Storage Limitation — Personal data is retained only for as long as necessary for the purposes for which it was collected.
Integrity and Confidentiality — Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Accountability — The data controller is responsible for, and must be able to demonstrate, compliance with all the above principles.

3. Lawful Basis for Processing

We identify and document the lawful basis for every processing activity before any personal data is collected or processed. The lawful bases under Article 6 of the UK GDPR that we rely upon include:

Consent of the data subject
Performance of a contract with the data subject (e.g., processing bookings)
Compliance with a legal obligation (e.g., HMRC reporting requirements)
Protection of vital interests of the data subject or another person
Performance of a task carried out in the public interest
Legitimate interests pursued by us or a third party, provided these do not override the fundamental rights and freedoms of the data subject

4. Data Subject Rights

We recognise and facilitate the exercise of all rights afforded to data subjects under the UK GDPR:

4.1 Right to Be Informed

We provide clear and transparent information about how we process personal data through our Privacy Policy and any relevant privacy notices at the point of data collection.

4.2 Right of Access (Subject Access Request)

Data subjects have the right to obtain confirmation of whether their personal data is being processed, and if so, to receive a copy of that data. Subject Access Requests (SARs) are responded to within one calendar month of receipt.

4.3 Right to Rectification

Data subjects may request the correction of inaccurate personal data or the completion of incomplete data. We will action such requests without undue delay.

4.4 Right to Erasure

Data subjects may request the deletion of their personal data where it is no longer necessary for the purpose it was collected, where consent has been withdrawn, or where there is no other legal basis for continued processing.

4.5 Right to Restrict Processing

Data subjects may request the restriction of processing in certain circumstances, such as where the accuracy of the data is contested or where processing is unlawful.

4.6 Right to Data Portability

Where processing is based on consent or contract and is carried out by automated means, data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format (e.g., CSV or JSON).

4.7 Right to Object

Data subjects have the right to object to processing based on legitimate interests or direct marketing. We will cease such processing unless we can demonstrate compelling legitimate grounds.

4.8 Rights Related to Automated Decision-Making

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.

5. Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments for any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to:

Large-scale processing of sensitive personal data
Systematic monitoring of publicly accessible areas
Automated decision-making with legal or significant effects
Use of new technologies that may pose privacy risks
Processing of guest location data through our booking and mapping services

6. Data Breach Management

We have established procedures to detect, report, and investigate personal data breaches. In the event of a breach:

The breach will be assessed and documented within 24 hours of discovery
If the breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours
If the breach is likely to result in a high risk to affected individuals, we will notify those individuals without undue delay
All breaches, including those not reported to the ICO, will be logged in our internal breach register
Park owners will be notified if the breach involves guest booking data shared through our platform

7. Data Processors and Third Parties

Where we engage third-party data processors, we ensure that:

A written Data Processing Agreement (DPA) is in place in accordance with Article 28 of the UK GDPR
The processor provides sufficient guarantees of appropriate technical and organisational measures
Regular audits and reviews of processor compliance are conducted
Sub-processing is only permitted with our prior written authorisation

Park Owners as Joint Controllers

Park owners who receive guest personal data through our platform are considered joint controllers for certain processing activities (e.g., managing bookings, guest communications). Park owners are required to handle all guest data in accordance with the UK GDPR and our Park Owner Data Processing Agreement.

8. International Data Transfers

We do not transfer personal data outside the United Kingdom unless:

The destination country has an adequacy decision from the UK Secretary of State
Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules
A specific derogation under Article 49 of the UK GDPR applies

All international transfers are documented and subject to regular review.

9. Data Retention

We maintain a data retention schedule that specifies the retention period for each category of personal data. Key retention periods include:

Booking records: 6 years (HMRC requirements)
User accounts: duration of account plus 2 years after deletion request
Marketing consent records: duration of consent plus 1 year
Support communications: 3 years from last contact
Analytics data: 26 months (anonymised thereafter)

Upon expiry of the retention period, data is securely deleted or anonymised.

10. Training and Awareness

All employees and contractors who process personal data receive regular data protection training. This includes:

Induction training for new staff covering the principles of UK GDPR
Annual refresher training on data protection policies and procedures
Specific role-based training for staff handling sensitive or high-risk data
Updates on changes to data protection legislation or organisational policies

11. Data Protection Officer

Our Data Protection Officer (DPO) can be contacted at: [DPO Email Address].

The DPO is responsible for:

Overseeing the implementation of this policy
Monitoring compliance with the UK GDPR and internal data protection policies
Advising on Data Protection Impact Assessments
Acting as the point of contact for the ICO and data subjects

12. Review and Updates

This policy is reviewed annually, or sooner if there are significant changes to our processing activities, organisational structure, or applicable legislation. All updates will be communicated to relevant stakeholders.

13. Complaints

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: https://ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF