Privacy Policy

1. Introduction
This privacy policy has been created to reflect our commitment to privacy and our adoption of both the Australian Privacy Principles (APP’s) and the General Data Protection Regulation (GDPR).
This privacy policy was last updated on: 31 January 2020

2. Who we are
Scenic is made up of different legal entities and operates under the ‘Scenic’, ‘Evergreen’ and ‘Emerald Waterways’ brands. This privacy policy is issued on behalf of Scenic Tours Pty Ltd who is the controller of your data and is responsible for this website. When we mention “Scenic”, “we”, “us” or “our” in this privacy policy, we are referring to Scenic Tours Pty Ltd and each of its related bodies corporate unless we indicate otherwise.

3. Our contact details
Our full details are:
Scenic Tours Pty Ltd
Postal address: PO Box 807, Newcastle NSW 2300 Australia
4. Changes to this policy
We will post on this website any alterations to the privacy policy. We encourage you to periodically check this website to keep aware of any changes to this policy. Whenever this policy is updated, we will include the date on which any update took place at the top of this page.
If you have any questions regarding the currency of this policy, or any previous versions of this policy, please contact our data protection officer.

5. The types of data we collect about you
Personal information, or personal data, means any information about an identified individual. We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:
Identity Data includes your first name, middle name, maiden name, last name, passport numbers, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes your billing address, postal address, email address and telephone numbers.
Financial Data includes your bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Technical Data includes data collected when you use our website such as your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and version, operating system and platform and other technology on the devices you use to access this website.
Profile Data includes purchases or bookings made by you, your interests, travel preferences, experiences, feedback and survey responses.  
Usage Data includes information about how you use our website, bookings and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Professional Data includes your current employment details, education, previous employment positions and professional experience.
We may also collect a Special Category of Personal Data, namely information about your Health including your current and previous health status, current and previous medical conditions and your dietary requirements, where you give us such details in the process of enquiring about or making a booking and its suitability for you. 

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

6. If you fail to provide personal data to us
Where we need to collect your personal data, whether as part of your contract with us or where required by law, and you fail to provide that data as requested, we may not be able to perform the contract we have or are trying to enter with you (for example, to provide you with your booked tour). 

This personal information is required by us to in order to provide you with the full offering you booked with us or to comply with the relevant law. If you do not provide us with the required information, we may need to cancel your contract. If we are required to do so, we will inform you of this as soon as is practicably possible.

7. How we collect your data
We may collect your data in the following ways:

You may provide us with your personal data in your direct interactions with us including:
The booking process;
Any waivers you may sign;
Competitions hosted by us;
Subscribing to newsletters or otherwise requesting us to send you documents or information;
Complaints and feedback provided by you;
Additional activities for which you may sign up during a tour booked with us;
Requesting assistance on tour; and
Submitting an application for employment with us.
We may also collect your data indirectly in circumstances where it is provided by another party. The most common example of this is when you make a booking through a registered travel agent or where your data is provided as a next of kin, travel companion, health practitioner or emergency contact for one of our customers. 
Website, Cookies and Marketing
We may also collect your personal data based on your interaction with our website including requesting a brochure, signing up to mailing lists and by use of ‘cookies’.

8. How we use your data
We will only collect or use your data when we are allowed to by law. The law allows us to use your personal data in the following circumstances:

1. Consent – where you have provided us with clear, specific, informed and unambiguous consent to use your data.
2. Performance of a contract – where we have a contract with you, usually to provide you with the travel services comprising your booking, we will require your personal data for both our own use and to disclose to others in order to fulfil that contract;
3. Legal or regulatory obligation – where we are legally required to collect or provide your personal data;
4. Necessary for the purposes of our legitimate interests – where we have a legitimate interest in collecting or using your personal data, as long as your fundamental rights do not override this legitimate interest. Where we have identified in the below section that your data is used for the purpose of our legitimate interests, we have explained what that particular interest is. For example, we could use your data in the legitimate interest of assessing how our services are meeting your needs and use that information to develop more suitable travel offerings.

9. Purposes for which we use your personal data

Purpose Data Category Lawful basis for processing
To register you as a new customer and book your travel requirements.
  1. Identity Data; and
  2. Contact Data.
  1. Performance of a contract with you
To identify your eligibility, and manage your entitlements, as a Scenic Club loyalty member.
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Usage Data; and
  5. Marketing and Communications Data
  1. Necessary for our legitimate interests (to provide a loyalty program to our customers which forms an integral part of our business and marketing strategy)
To identify your specific needs and capabilities to appropriately advise you on the suitability of a current or subsequent booking.
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Usage Data; and
  5. Health Data
  1. Performance of a contract with you; and
  2. Necessary for our legitimate interests (to only provide services that are suitable and accessible for our guests)
To process and deliver your booking including:
  1. Manage payments, fees and charges; and
  2. Collect and recovery money owed to us.
  1. Identity Data
  2. Contact Data
  3. Financial Data
  4. Transactional Data;
  5. Marketing and Communications Data; and
  6. Health Data
  1. Performance of a contract with you;
  2. Necessary for our legitimate interests (to recover debts due to us); and
  3. Consent for the purposes of ensuring our products and services are suitable for you and any adjustments to them that could be made.
To assess your suitability for an employed position with us and contact you regarding any employment opportunities you may apply for with us.
  1. Identity Data; and
  2. Contact Data; and
  3. Professional Data
  1. Necessary for our legitimate interests (to recruit suitable employees)
To manage our relationship with you which will include:
  1. Notifying you about any changes to your booking;
  2. Handling any complaints by you; and
  3. Asking you to leave a review or take a survey.
  1. Identity Data;
  2. Contact Data;
  3. Profile Data;
  4. Marketing and Communications
  1. Performance of a contract with you; and
  2. Necessary to comply with our legal obligation; and
  3. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services).
To enable you to participate in a prize draw, competition or complete a survey.
  1. Identity Data;
  2. Contact Data;
  3. Profile Data;
  4. Usage Data; and
  5. Marketing and Communications
  1. Performance of a contract with you; and
  2. Necessary for our legitimate interests (to study how customers use our products/services, to develop and grow our business).
To administer and protect our business and this website including:
  1. Troubleshooting;
  2. Data analysis;
  3. Testing;
  4. System maintenance;
  5. Support;
  6. Reporting; and
  7. Hosting of data.
  1. Identity Data
  2. Contact Data; and
  3. Technical Data.
  1. Necessary for our legitimate business interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise); and
  2. Necessary to comply with a legal obligation.
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you.
  1. Identity Data
  2. Contact Data
  3. Profile Data
  4. Usage Data
  5. Marketing and Communications Data; and
  6. Technical Data
  1. Necessary for our legitimate business interests (to study how customers use our products/services, to develop them, to grow our business and inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences.
  1. Technical Data and;
  2. Usage Data.
  1. Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you including the provision of marketing materials.
  1. Identity Data
  2. Contact Data
  3. Technical Data
  4. Usage Data; and
  5. Profile Data
  1. Necessary for our legitimate interests (to develop our products/services and grow our business)
10. Change of Purpose
If we ever consider it necessary to use your personal data for a purpose other than what it was collected for, we will notify you of the new purpose, the legal basis of that purpose and any further required information before we undertake any further action to use or disclose your data.
However, we may not notify you of a change in purpose in circumstances where we are either required or permitted by law to use your personal data for another purpose.

11. Disclosing your personal data
The following are categories of entities to which we may disclose your personal information:
Accommodation suppliers;
Service/Activity providers;
Ship operators;
Travel agents;
Travel insurers; and
Professional advisers including lawyers, financiers, auditors and insurers.
We also may disclose your personal information to other companies within the Scenic group who are presently based in the UK, Switzerland, Canada and the USA and who provide operational, product, IT and system administration services.

We are affiliated with a range of third party businesses and travel suppliers located both within Australia and overseas. In the course of doing business with you, we will routinely disclose some of your personal information to these recipients where necessary and only for the lawful purposes advised in section 9. 

Our third party overseas affiliates are located in our Scenic destinations, including Africa, Asia, Canada, Alaska, the USA, Europe, New Zealand and South America. Their permitted use of such information is limited to providing the services we are required to provide in accordance with our contract with you.

12. International disclosure

Where we transfer your personal data to countries that are not Australia or within the European Economic Area, we will only do so on the basis that it is necessary for us to perform our contract with you or, if we are disclosing Aggregated Data, for our legitimate interests. As outlined above, Aggregated Data that we collect will not directly or indirectly identify you. To protect the anonymity of Aggregated Data when we provide it overseas, we do not provide personal data along with it.

13. How long will we store your data?
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, unless we are required to retain it for a further period by law. To determine what is an appropriate period to retain your personal data, we have regard to the nature of the data, the sensitivity of the data, the risk of harm should that data be subject to a personal data breach, the purposes for which we process your data (including any benefits to you as a continued customer of Scenic) and the applicable legal requirements.

14. Data Security
Scenic takes the security of your personal data very seriously. We have implemented a range of security measures to protect your personal data. Scenic holds your personal data in both physical and electronic formats. 

Where we collect and hold your data in a physical format, this data is stored in a room secured by an electronic access system. Access is only available to those Scenic employees with the necessary level of security. Any personal data in a physical format that we are no longer permitted to hold or no longer have any use for (and are not required to hold for legal purposes) is securely destroyed to prevent any loss or unauthorised access.

Where we collect and hold your data in electronic format, that data is stored securely on our internal systems. In circumstances where we may transfer your personal data outside of the Scenic Group, that data is securely encrypted and, where possible, we try to remove personal identifiers.

15. Marketing
We use your personal data to provide you with marketing materials where we believe they may be relevant to your interests. This includes disclosing your personal data to third parties for the purpose of delivering marketing materials to you. You can opt-out of receiving marketing materials from us at any time by contacting our data protection officer or by simply following the ‘unsubscribe’ process in the marketing materials provided to you. Once you opt-out of receiving marketing materials, we will no longer use, or disclose to third parties, your personal data for this purpose.
16. Complaint Procedure
If you are considering making a complaint about how we have handled your personal data, we would encourage you to contact us first and give us the opportunity to resolve your concern in a timely and efficient manner. Scenic has appointed a data protection officer to handle your concerns regarding the collection and use of your personal information. Our data protection officer can be contacted using the details in this policy. 

Once a complaint is received by us, our data protection officer will undertake the following process to resolve your complaint:
1. liaise with you directly so that we fully understand your complaint;
2. conduct a full and thorough internal investigation into the relevant Scenic departments and personnel;
3. draft a report identifying your complaint, the investigation process and the outcome of that investigation;
4. provide you with a copy of the investigation report; and
5. liaise with you after you have considered the report appropriately to ensure we have satisfied you that your complaint has been handled adequately and we have undertaken all reasonable efforts to resolve the matter.

If you have concerns regarding how we collect, store or process your personal data, you have a right to make a complaint to a regulatory authority. In Australia, that authority is the Office of the
Australian Information Commissioner. 

If your complaint relates to Scenic’s collection of your personal data whilst you were within the European Economic Area (EEA), you have a right to make a complaint to the supervising authority of the most relevant country. In the UK, for example, that entity is the Information Commissioner’s Office.

17. Your data rights
We will, on written request to our data protection officer, provide you with access to your personal data which we hold unless there is an exception which applies under the Privacy Act 1988. Your request for access will be dealt with in a reasonable time.

We take reasonable steps to ensure that the personal information we hold about you is correct and up to date when we collect or use it. If you consider that the information you or others have provided on your behalf may need to be changed, you may change those details on our website (if possible) or contact us and we will take steps to correct it.

18. GDPR data rights
If we collect your personal data during interactions with you while you are within the EEA, you have the following legal rights under the GDPR:

Access to your personal data
You have the right to request from us confirmation about personal data of yours is being processed by us and access to that personal data.
You can also request from us the following information about your specific personal data:
a) The purpose of the processing;
b) The categories of your personal data concerned;
c) To whom we are, or will be, disclosing your personal information, including where those parties are overseas;
d) How long we expect to store your personal data;
e) Your ability to request for us to erase your personal data or restrict or object to your personal data from being processed;
f) Your right to lodge a complaint with a regulatory authority;
g) The source from which we collected your personal data; and
h) What safeguards we have used in transferring your information internationally;

Rectifying your data
If you believe that personal data we have about you is in any way inaccurate or incorrect, you have a right to request the rectification of that data. If you wish to make this request, please contact our data protection officer as soon as you become aware of the inaccuracy. We will endeavour to rectify your personal data as soon as practicable after notification from you.

Your right to be forgotten
You have a right to request we delete your personal information, and we will be required to do so, if any of the following circumstances apply:
a) We no longer require the personal data for the purpose for which it was collected;
b) You withdraw your consent and that consent was the only basis for which we were lawfully allowed to collect the personal data;
c) You object to the processing of your data on the basis of our legitimate interests or in the performance of a task in the public interest; or
d) We have unlawfully processed your personal data.
If you make a request for the erasure of your data, we will carefully consider your request in accordance with the law.

Restricting processing
You have a right to restrict us from processing your personal data in certain circumstances. If:
a) You contest the accuracy of your personal data;
b) The processing is unlawful and you oppose the erasure of your personal data and you request the restriction of its use instead;
c) We no longer need your personal data for the purposes of processing but you require us to keep the personal data for the establishment, exercise or defence of a legal claim; or
d) You have objected to the processing.
you may be entitled to restrict us from processing your personal data.

Right to data portability
You have the right to request from us an electronic copy (e.g. USB) of any personal data that you have provided directly to us. However, this right will only apply where we are lawfully processing your data based on your consent or where it is required to perform a contract with you.

Right to object 
You have the right to object to the processing of your data where the purpose is for the performance a task in the public interest or for our legitimate interests. Where such an objection is raised by you, we will no longer be able to process your personal data for these purposes unless we can demonstrate compelling and legitimate grounds to continue doing so.
You may also object your personal data being processed for any scientific, historical or statistical purposes. If we receive an objection from you, we will cease using your personal data for these purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to object to direct marketing purposes
You have the right to object to the processing of your data for direct marketing purposes. Once we receive this objection, we are no longer entitled to use your personal data for such purposes.

Right not to be subject to automated processing decisions
You have a right not to be subject to a decision based solely on automated processing which produces legal effects or a similarly significant effect on you. If you do not want your data to be subject to automated processing decision, you can request that we refrain from doing so.

Personal data breach
Where we experience a breach of our security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, we will communicate the details of the breach to you if the breach is likely to result in a high risk to your rights and freedoms.
Where we are required to notify you of a personal data breach, we will do so as soon as practicably possible. Any notification by us of a personal data breach will inform you of:
a) the nature of the breach;
b) the name and contact details of our data protection officer where more information can be obtained;
c) the likely consequences of the breach; and
d) the measures taken or proposed to be taken by us to address the breach and any measures we propose to take to minimise the possible negative effects of the breach.
If you exercise any of your rights to receive information on your personal data, we will provide this information (including access to your personal data) free of charge. However, if your request is manifestly unfounded, excessive or repetitive, we may charge you a reasonable administrative fee. 

Further, if we provide you with a copy of your personal data, and you request any further copies, we may charge you a reasonable administrative fee.

Where you make a request to us regarding your personal data, we will endeavour to respond adequately to your request within one month. Where possible, we will endeavour to notify you of any rectification, erasure or restriction of processing of your personal data that takes place following an appropriate request from you.