3rd Party Privacy Notice



  1. Scope

Our Privacy Notice describes the ways we collect your personal information and governs how we will deal with it. We aim to ensure that any personal information we obtain and use will always be held, used and transmitted in compliance with the Data Protection Act 1998 (or its successor) and the EU General Data Protection Regulations (together referred to as the ‘Data Protection Laws’)

Where this Privacy Notice contains hyperlinks to other pages on our website, we recommend you click on those links as they may contain additional important details about our Data Protection Policy.

This Privacy Notice is applicable to all 3rd parties engaging with or contacted by the Derby Conference Centre (DCC).

The website containing this Privacy Notice may contain links to third parties’ websites. DCC takes no responsibility for the privacy practices or the content of those websites. Therefore, please read carefully any privacy policies on those websites before either agreeing to their terms or using those websites.

This Privacy Notice applies with immediate effect to all Personally Identifiable Information collected either in person or any other means.

DCC may occasionally amend this Privacy Notice to reflect regulatory requirements and changes in our information collection and disclosure practices. Any new Privacy Notice will automatically be effective when it is published on the website or issued to you directly. We advise you to print a copy for your records.


  1. Responsibilities

The RTC Group Data Protection Representative, acting on behalf of DCC, has overall responsibility for ensuring that this notice is applicable, compliant and in accordance with the RTC Group Data Protection Policy. The DCC Data Protection Representative (DPR) is responsible for ensuring that the contents of the Notice are implemented on behalf of the RTC Group, where applicable. DCC is part of the RTC Group of companies.

All staff of the RTC Group of companies, who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and where applicable, their consent to the processing of their data is secured.


  1. Privacy Notice
  • Who are we?

Built as the first purpose-built training college for railway staff, the building which now houses The Derby Conference Centre, first opened in 1938. Designed by William H. Hamlyn, who was the London Midland and Scottish Railway’s principal architect, it cost £50,000 to construct, and was the first of its kind in the UK.

The Derby Conference Centre now offers conferencing, event management and guest facilities to both individuals and corporate clients from all over the world.

As part of our commitment to protecting the personally identifiable information collected and processed from our guests, clients and suppliers, we have implemented a strict Data Protection Policy.

As part of our commitment to transparency we have created this Privacy Notice.

As part of our commitment to managing individual’s rights, the Derby Conference Centre have appointed a Data Protection Representative (DPR).

Our Data Protection Representative (DPR) can be contacted directly here:


  • What information do we collect?

The personal data we would like to collect on you is detailed below:

If you are; Personal data type: Source Legal Basis
 A Hotel Guest  Contact Information, such as name, email address, address and telephone number  If you submitted this information at the time of booking accommodation.  Legitimate Interest / Contract
 An Event Organiser  Contact Information, such as name, email address, address and telephone number  If you have booked a conference or event facilities with us.  Legitimate Interest / Contract
 An Event Attendee  Contact Information, such as name, email address, address and telephone number  If you have attended a conference or event and you have left us your business card.  Legitimate Interest / Contract
 A Client or Prospective Client  Contact Information, such as name, email address, address and telephone number  Provided prior to or during contract engagement, or gathered from publicly available sources such as websites, LinkedIn etc.  Legitimate Interest / Contract / Consent
 A Supplier or Prospective supplier  Contact Information, such as name, email address, address and telephone number  Provided prior to or during contract engagement, or gathered from publicly available sources such as websites, LinkedIn etc.  Legitimate Interest / Contract / Consent
 A website visitor  Navigation and click-stream data, the time of accessing the website, duration of your visit, and pages you viewed or searched for  Our Website  Legitimate Interest / Contract
 A website visitor  Information from cookies or web beacons  Our Website  Legitimate Interest / Contract

It may be necessary for us to collect data, which under Data Protection Law is classified as Special Categories of Personal Data.

The special categories of personal data referred to within the EU GDPR are;

  • Racial
  • Ethnic origin
  • Political opinions
  • Religious beliefs
  • Philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Data concerning a natural person’s sex life
  • Sexual orientation

It is anticipated that the only Special categories of personal data required will be occasional health information relating to allergies or specific accommodation mobility requirements.

Consent will always be sought prior to this data being stored and processed.

  • 3.3 How we collect your information if you are a Guest or Event Attendee

DCC obtains information from you in the following four ways:

A) Personal Interaction

If you are booking a room or checking into our hotel we may collect personal information associated with your identity and contact details.

B) Submitting your details

If you are booking accommodation or facilities through our, or a third parties website.

C) Automatic collection

Like most websites, our website uses cookies and web beacons to enhance your visitor experience.  Please visit our cookie policy for further details.

D) Contractual collection

We may collect specific pieces of information that are required for us to meet our contractual obligations with you whilst providing our facilities or services to you or your company.

D) Information from third parties

DCC may also obtain information about you directly from third parties, such as Social Media sites, referrals, your own company website.  If we have found your details via a third party, and we do not require them for contractual purposes they will only be retained during the process of establishing your consent for us to contact you.

E) Visual recordings – CCTV

DCC may also collect visual recordings of you inadvertently as we monitor the security and integrity of our facilities.  This is to protect both staff and guests.


Independent of how we collect your data, we will always ensure that you have access to the relevant Privacy Notice.

If we have gathered your information from a 3rd Party we will always seek authorisation from you to store and process your data.

Additional Terms and Conditions associated with using our website, including our use of cookies, can be found here.

If you want to disable cookies you need to change your website browser settings to reject cookies.

  • 3.4 What will we do with your information if you are a DCC guest, client or supplier

We will process and store your information for any or all of the following purposes;

Booking a room, a facility or an event.

The principal purposes for which we collect and store your personal information whilst you are booking a room, a facility or an event is to ensure that we provide you with the best possible service as per your requirements. We may use your contact details to contact you to inform you of changes or to confirm arrangements.

During your stay

DCC may retain personal information collected during your stay or attendance at an event to ensure we provide you with the best possible service in accordance with your requirements. This could involve seeking clarification on your requirements as a guest or a client. We may gather specific health information to ensure your safety and health needs are met during your stay.

After your stay, attendance at an event

DCC may ask for your consent to retain basic information including contact details and address, to assist with your next booking experience.

If you have supplied your details to our Business Lounge or via our online feedback form

DCC may contact you, if you have given us consent to do so, to keep you up to date with Business Lounge activities, offers and opportunities.

To assist with marketing of DCC Services and facilities

We may use an IP address to identify you and to gather broad demographic information about you, which may be used to assist DCC in market segmentation activities, to help identify problems with our server and to administer our website.

New Business Development

Occasionally, DCC may contact you by telephone or email to inform you of our services and capabilities with the intention of developing new business.

If you do not object to receiving marketing material at the time the information was collected from you, but subsequently change your mind and no longer wish to receive this information, you can opt out.

  • Sharing with 3rd Parties

DCC will not sell your personal information to third parties. However, on occasions it is necessary for us to share personal information with third parties as described below for the purposes described above.

3rd Party Data and Purpose
Website analytics providers DCC collates statistics about site traffic, sales and other commercial information. This information is collected through third parties to assist us in improving the services we provide to you. We also use demographic information to tailor the website to the interests of our clients, which we share with third parties, again on an aggregate basis only so that they can build up a better picture of our customer base and general consumer trends.
Accounting Software DCC may require to store or process your data with third parties as is necessary to process remittances or invoices.
Vital Health Information DCC may share vital health information relating to allergies or special needs if it is essential to maintain your health or life.
Legal entities DCC may disclose your personal information if necessary to comply with regulations or law or to assist with law enforcement, to enforce the terms under which you are contracted with DCC or to protect our or other third parties property and other rights.
Successor In the event that DCC is sold, or some of its assets transferred to a third party, your personal information, as a valuable asset of the company, may also be transferred. However, use of your personal information will remain subject to this Privacy Notice. Similarly, your personal information may be passed on to a successor in interest in the event of a liquidation or administration of DCC.

Where possible all data processors will be within the EEA.  If it is a requirement to transfer data outside of the EEA, this will be in accordance with 3.6 Transferring Data outside of the EAA.

  • Transferring outside of the European Economic Area (EAA)

DCC will only transfer data outside of the EAA if necessary.

DCC does not currently transfer your Data outside of the European Economic Area. However, should there be a general business requirement to do so, we will record the details in the table below and re-issue this Privacy Notice.

Third country (non-EU)/international organisation Safeguards in place to protect your personal data Retrieve a copy of the safeguards in place here:

Should we be required to pass your information onto a country outside of the European Economic Area on an individual basis, we will seek your consent to do so. This consent will be based on a suitably communicated risk assessment.

  • 3.7 Consent and Contractual Obligations

For the purposes of this Privacy Notice, the DCC refer to Consents and Contractual Obligations.

Consent; requires a physical record from yourself.

If we have been provided with your details via a 3rd party, we will seek your consent to retain that information. Should this consent not be granted, upon your request, we shall remove your details from our system.
By using the DCC facilities you are entering into a Contractual Obligation, which will be implemented in accordance with this Privacy Notice.
Should you request that we refrain from contacting you in the future, we will, with your permission, retain and restrict minimal information to which we can record a note of your restrictions.

DCC will seek formal consent if data is to be used for the following activities;

1. Processing of EU GDPR defined Special Categories of Personal Data, ( i.e. Any data associated with Health, or our Equality & Diversity Commitment).
2. Adding of your contact details to a marketing list such as that associated with the Business Lounge.
3. Processing of your data in a country other than in the European Economic Area or the United States.

Where we are asking you for Special Categories of Personal Data we will always tell you why and how the information will be used.

You may withdraw Consent or Permission at any time by contacting us at optout@thederby conferencecentre.com .

  • 3.8 Profiling and Automated processing

DCC do not carry out automatic profiling or processing of personal data.

  • 3.9 Retention period

DCC will retain your personal data only for as long as is necessary for the purpose we collect it. Dependent upon the type of data this will be for different periods of time.  We will process, store and dispose of Personal Data in line with the RTC Group Information Security Management Manual.

  • 3.10 How will we contact you?

We will contact you in the following circumstances;

For the purposes of this Privacy Notice the following definitions apply:

Guest: An individual who has stayed at the hotel, used our facilities (such as the bar or restaurant) or attended an event.

Client: An individual or company who has booked our facilities for an event.

Circumstance How Why
If you are prospective Guest Telephone or email in the first instance. If you are expressing interest in using our facilities
If you are a future or existing Guest Telephone or email in the first instance. If we have received your consent, to keep you up to date about our facilities / offers.
If you are referred to us as a prospective client Telephone, email or social media where appropriate. To find out if you are content to be referred, communicate our Privacy Notice and to confirm if you want to hear from us again.
If you are existing or past client. Telephone or email in the first instance. To manage our contractual obligations and perform new business development
If you are existing or past supplier Telephone or email in the first instance. To request information about services or products or to engage in contract negotiations.
If we require to contact you for contractual reasons. Telephone or email in the first instance. To implement a contractual requirement.
  • 3.11 Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

• Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
• Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
• Right to judicial review: in the event that DCC refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.13 below.

3.12 Requesting information on the data we hold

DCC, at your request, can confirm what information we hold about you and how it is processed. This is called a Subject Access Request. If DCC does hold personal data about you, you can request copies of the information we hold from the Data Protection Representative (DPR) on the contact details at the end of this Notice.

A Subject Access Request form can be obtained by requesting a copy from the DPR at DPR@thederbyconferencecentre.com. Whilst you do not need to complete the form to lodge a Subject Access Request, it will make processing easier.

We will need two different forms of identification to show a facial photograph and address, which can be:

• Passport
• Driving licence
• Birth certificate
• Utility bill (from last 3 months)
• Current vehicle registration document
• Bank statement (from last 3 months)

Your request should be emailed to the DPR at SAR@thederbyconferencecentre.com

We endeavor to respond to your request within 1 month of confirming its validity. For more complex requests this may be increased by a further 2 months.

  • 3.13 Complaints and contacts

In the event that you wish to make a complaint about how your personal data is being processed by the Derby Conference Centre or how your complaint has been handled, you have the right to lodge a complaint directly with the ICO and Data Protection Representative.

The details for each of these contacts are:

Supervisory authority contact details Data Protection Representative
Contact Name: Information Commissioners Office (ICO) Data Protection Representative
Address line 1: Wycliffe House, The Derby Conference Centre,
Address line 2: Water Ln, London Road
Address line 3: Wilmslow Derby
Address line 4: SK9 5AF DE24 8UX
Email: dpr@thederbyconferencecentre.com


Online https://ico.org.uk/concerns/handling/