Data Protection Policy

Provision of Data and Twycross Zoo's Processing

1. In order to implement and manage these Terms and to enable Twycross Zoo to comply with its contractual and statutory obligations, Twycross Zoo will be required to process certain Personal Data relating to each Annual Ticket holder as set out in Term 2. This is detailed below in the Fair Processing Notice. For further details on how this may apply in practice, the Annual Ticket holder may contact Twycross Zoo using information@twycrosszoo.org.
2. Each Annual Ticket holder will be issued with their own Annual Ticket and will be required to supply the following data: (a) their first name and surname; (b) their date of birth; (c) their residential address; (d) a contact telephone number; (e) a contact email address; and (f) a photograph which must be a true likeness of the holder, and which must conform to UK passport photo requirements. Each individual will be issued with their own digital Annual Ticket. The purchaser of an Annual Ticket must be 18 years or over (and if purchasing an Annual Ticket on behalf of a minor (under 18s) the purchaser confirms that they are a parent or guardian of the minor and are authorised to share the minor's personal data. Email addresses and phone numbers will not be collected for minors, and it is acceptable to include the Address of the parent/guardian purchasing the ticket. Individuals over 16 but under 18 who are purchasing an Annual Ticket on behalf of themselves may provide their own data and in doing so accept these Terms and Conditions.

Fair Processing Notice 

3. Twycross Zoo East Midlands Zoological Society Limited is a British-based conservation charity, with a registered office at Norton-Juxta-Twycross, Atherstone, Warwickshire, CV9 3PX. Twycross Zoo values the privacy of those individuals that it provides Twycross Zoo Annual Tickets to. This fair processing notice ("Notice") sets out the basis on which Twycross Zoo processes and protects the personal data we collect from you in connection with the Twycross Zoo Annual Tickets. 

4. As Twycross Zoo is the company which was originally responsible for collecting information about you, it will be the Data Controller and can be contacted using the details set out below.

What personal information do we collect from you? 

5. In relation to potential, historic customers and current Annual Ticket holders, we collect "Personal Information". This refers to information which identifies or is capable of identifying you as an individual. We collect the following data directly from you in the course of administering or promoting our Annual Tickets:  

• Information that you provide when applying for an Annual Ticket.
• Details of any concerns if you contact us with a query or issue.
• When you complete a survey to tell us how your experience at the Zoo was and how we can improve, although you do not have to respond to this.
• Details of transactions you carry out to purchase an Annual Ticket including your credit/debit card details. 

6. Your name, address, telephone number and/or email address and any other data fields noted in Term 2 are collected in order to contact you with details of your Annual Ticket or in the unlikely event that we need to contact you urgently about your Annual Ticket. These details are mandatory and failure to provide means that we cannot provide you with an Annual Ticket. 

7. Your photograph is collected to enable us to identify you on subsequent visits to allow us to manage against the potentially fraudulent use of tickets.

8. We comply with principles of "data minimisation", and only collect the types and volume of Personal Information required to achieve the purposes set out in this Notice. 

What purposes do we use your personal information for and what is the legal basis? 

9. We will use the Personal Information we collect for the purposes of: contacting you in relation to service information, including, but not limited to, information about changes to these Terms, expiry reminders for your Annual Ticket; ensuring the security and safety of our attractions as covered by your Annual Ticket; and carrying out our obligations arising from any contracts entered into between you and us and ensuring we receive payment as required. We may also send you marketing materials (where we have appropriate permissions) as explained in more detail below. Twycross Zoo does not however send marketing materials to any child under the age of 17. 

10. We will also need to use your personal data for purposes associated with our legal and regulatory obligations, including in relation to ensuring the health and safety of Annual Ticket holders.

11. In the majority of cases, the processing of your personal data will be justified on one of the following bases: (i) it is provided for in the Twycross Zoo Annual Ticket Terms and Conditions, and therefore necessary to give effect to that contract; (ii) it is necessary for us to comply with a legal obligation ; or (iii) it is in our legitimate interests as a business, and our interests are not overridden by your interests, fundamental rights or freedoms (marketing purposes described below, save where opt-in consent is required by other data protection laws in which case our legal basis shall be your consent for the purpose of GDPR). That legitimate interest is our freedom to operate and therefore use reasonable promotions. 

PLEASE NOTE: If we have previously told you that we were relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis unless we have said that in this Policy. 

12. Twycross Zoo shall only process special categories of data where necessary to perform the contract, and where the Annual Ticket holder has consented to providing such data or where Twycross Zoo is relying on a specific exemption provided under local laws of EU Member States and other countries implementing the GDPR. Where possible, Twycross Zoo shall seek to minimise the collection and use of such sensitive personal data, and shall ensure that appropriate safeguards are in place to protect such special categories of personal data. 

13. Twycross Zoo only collects special categories of personal information about individuals under the age of 17 where the parent or guardian has provided "consent" on behalf of the relevant minor while purchasing an Annual Ticket in respect of that minor. 

PLEASE NOTE. If you provide your explicit consent to allow us to process your special categories of data, you can withdraw your consent to such processing at any time. However, you should be aware that if you choose to withdraw your consent we will tell you more about the possible consequences, including if this means that certain services can no longer be provided). 

Direct marketing 

14. We may use your personal data to send you direct marketing communications about our Annual Ticket or similar products available at the Zoo. This will be in the form of email, post, SMS or targeted online advertisements. Where we require explicit opt-in consent for electronic direct marketing in accordance with the Privacy and Electronic Communications Regulations we will ask for your consent. Otherwise, for non-electronic marketing or where we can rely on the soft opt-in exemption under the Privacy and Electronic Communications Regulations, we will be relying on our Legitimate Interests for the purposes of GDPR as further detailed above. You have a right to stop receiving direct marketing at any time - you can do this by following the opt-out links in electronic communications (such as emails), or by contacting us at information@twycrosszoo.org. We will keep a suppression list to ensure you don't receive further marketing unless you opt-in again, but we will still send you service messages - e.g. details about attraction opening times or updates the terms linked to your Annual Ticket. 

How long do we keep your personal information? 

15. We will retain your personal data for as long as is reasonably necessary for the purposes listed above. In particular, where there has been no interaction from an Annual Ticket holder (e.g. a purchase, newsletter sign up), a record will be deleted after 5 years. Where we are required to do so to meet legal, regulatory, tax or accounting requirements, we will retain your personal data for longer periods of time, but only where permitted to do so, including so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a possibility of legal action relating to your personal data or dealings. We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required and we do not have a legal requirement to retain it, we will ensure it is either securely deleted or stored in a way such that it is anonymised, and the Personal Data is no longer used by the business. 

Who do we share your personal data with? 

16. We share Personal data with third parties, which include: 

• Service Providers, who help manage our IT and back-office systems, assist with our Customer Relationship Management activities. Third parties that act as data processors are required to act only on our instructions as is necessary to perform services on our behalf and are required to comply with applicable legal requirements; 
• Regulators, which include the ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world; and 
• Solicitors and other professional services firms (including our auditors). 

17. Whilst we allow relevant staff, consultants and/or external third party service providers acting on our behalf to access and use your personal data for the activities we have described in this policy (e.g. to provide services or products to you, deliver mailings, to analyse data and to process payments), we only permit them to use it to deliver the relevant information, goods or services. Where we have engaged the services of a third party processor we have reviewed their privacy policies and security arrangements.

Furthermore, if required, we may disclose Personal Information in response to official government or regulatory requests; to law enforcement authorities to prevent physical harm or prevent or detect crime; or in the event of merger or acquisition. 

Transfer of your personal information across borders 

18. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests, in particular for internal group transfers we have in place an intra group data transfer agreement which incorporates the EU Model Clauses pursuant to Article 46(2) of the GDPR. For external group transfers, we will either: 

• only transfer your personal data to countries which are recognised as providing an adequate level of legal protection in accordance with Article 45 of the GDPR; or 
• ensure that transfers outside the European Union are subject to an appropriate legal safeguard - for example, the EU Model Clauses pursuant to Article 46(2) of the GDPR and/or the EU - U.S. Privacy Shield for the protection of personal data transferred to the US (for further details, please see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en). 

19. You have a right to ask us for more information about the safeguards we have put in place in relation to any data transfer agreement under which your personal data is transferred. Any data transfer agreement made available to you may be redacted for reasons of commercial sensitivity. 

Protection of your information 

20. We have implemented reasonable physical, technical and administrative security standards to protect Personal Information from loss, misuse, alteration, destruction or damage. 

Your rights 

21. You have the following rights in respect of your personal data: 

• Access: to obtain a copy of your personal data together with information about how and on what basis that personal data is processed; 
• Rectification: to rectify inaccurate personal data. 
• Right to be Forgotten: to erase your personal data in limited circumstances where it is no longer necessary in relation to the purposes for which it was collected or processed; 
• Restriction: to restrict processing of your personal data where: (a) the accuracy of the personal data is contested; (b) the processing is unlawful but you object to the erasure of the personal data; (c) we no longer require the personal data for the purposes for which it was collected, but it is required for the establishment, exercise or defence of a legal claim; 
• Objection: to challenge processing which we have justified on the basis of a legitimate interest; 
• Portability: to obtain a portable copy of your personal data, or to have a copy transferred to a third-party controller; and 
• We do not carry out automated decision making but if we do in the future, we will notify you of this and set out your related rights. 

22. To exercise your rights you can contact us as set out below. Please note the following if you do wish to exercise these rights: 

• We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request. 
• We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. 
• We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly. 
• Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.