1. Data Processing Record (Article 30)

• Sea & Sky Luxury Transfers Ltd. – Record of Processing Activities (ROPA)

​

1.1 Controller Details

• Organisation name: Sea & Sky Luxury Transfers Ltd.

• Address: Jubilee Enterprise Centre, 15 Jubilee Close, Weymouth, Dorset, DT4 7BS

• ICO Registration Number: ZC133717

• Contact email: office@seaskyluxurytransfers.com

• Data Protection Officer: Simon A. Craddock

 

1.2 Processing Activities

• A. Customer Bookings & Transport Services

  • Purpose: Managing bookings, dispatching taxis, fulfilling transport contracts, customer safety.

  • Categories of data: Name, phone number, pickup/drop-off locations, journey history, payment details.

  • Lawful basis:

    • Contract – to provide the booked journey.

    • Legitimate Interests – fraud prevention, dispute resolution, service optimisation.

  • Recipients: Dispatch software provider, payment processors, regulatory authorities (if required).

  • Retention: 12–24 months for journey records; financial records 6 years (legal obligation).

  • Security: Encrypted dispatch system, access controls, secure mobile devices.

• B. Driver Management

  • Purpose: Scheduling, payments, safety, regulatory compliance.

  • Categories of data: Name, licence details, right-to-work, GPS location during shifts, performance data.

  • Lawful basis:

    • Legal Obligation – licensing, HMRC requirements.

    • Contract – driver engagement.

    • Legitimate Interests – safety monitoring, complaint investigation.

  • Recipients: Local authority licensing, insurers, payroll providers.

  • Retention: 6 years after contract end.

• C. CCTV / In-Car Cameras (where fitted)

  • Purpose: Passenger and driver safety, crime prevention, dispute resolution.

  • Categories of data: Video/audio recordings.

  • Lawful basis:

    • Legitimate Interests – safety and crime prevention.

    • Legal Obligation – where mandated by local licensing.

  • Retention: 14–31 days unless required for an incident.

• D. Website & App Analytics

  • Purpose: Service improvement, security, fraud detection.

  • Categories of data: IP address, device identifiers, cookies.

  • Lawful basis:

    • Legitimate Interests – security and analytics.

    • Consent – for non-essential cookies.

  • Retention: 12–24 months.

 

2. Legitimate Interests Assessment (LIA)

• Based on ICO’s three-part test and Law Society guidance.

 

2.1 Identify the Legitimate Interest

• Examples relevant to a taxi company:

  • Ensuring passenger and driver safety (CCTV, GPS tracking).

  • Preventing fraud (fake bookings, chargebacks).

  • Investigating complaints and resolving disputes.

  • Optimising dispatch operations and reducing wait times.

  • Protecting company assets (vehicle misuse, theft).

• Why legitimate interest applies:

  • ICO guidance states it is appropriate where processing is expected, minimally intrusive, and justified by a compelling need.

 

2.2 Necessity Test

• GPS tracking is necessary to dispatch vehicles, ensure safety, and verify journeys.

• CCTV may be necessary to deter crime and provide evidence.

• Journey history is necessary for customer support and dispute resolution.

• Less intrusive alternatives considered:

  • Manual logs (insufficient for safety).

  • No CCTV (increases risk of crime).

  • Anonymous bookings (not feasible for transport contracts).

 

2.3 Balancing Test

• Potential impact on individuals:

• GPS tracking may feel intrusive.

• CCTV may capture sensitive situations.

• Mitigations:

  • Clear signage in vehicles if CCTV is fitted.

  • Restricted access to footage.

  • Short retention periods.

  • Encryption and access logging.

  • Privacy notice transparency.

• Conclusion: The interests of the taxi company and safety of passengers/drivers outweigh the limited privacy impact, provided safeguards are in place.

 

2.4 Outcome

• Legitimate interest basis approved.

• Review cycle: Annually or after major operational changes.

• Record keeping: LIA stored with ROPA and reviewed by management.

 

3. Customer Privacy Notice

3.1 Who We Are

• We are Sea & Sky Luxury Transfers Ltd., a licensed private-hire operator in the UK. We process your personal data in accordance with the UK GDPR.

 

3.2 What Data We Collect

• Name, phone number, email

• Pickup/drop-off locations

• Journey history

• Payment information

• CCTV footage (if applicable)

• App/website usage data

 

3.3 Why We Use Your Data

• Purpose: Lawful Basis

• Booking and completing journeys: Contract

• Customer support: Legitimate Interests

• Safety, CCTV, fraud prevention: Legitimate Interests

• Legal compliance (licensing, HMRC): Legal Obligation

• Payment processing: Contract

• App analytics: Legitimate Interests / Consent

 

3.4 Sharing Your Data

• Dispatch software providers

• Payment processors

• Local authority licensing teams

• Police (where legally required)

• Insurers (incident-related only)

 

3.5 Retention

• Journey records: 12–24 months

• CCTV: 14–31 days

• Financial records: 6 years

 

3.6 Your Rights

• You have rights to access, correct, delete, restrict, or object to processing. Contact: office@seaskyluxurytransfers.com.

 

4. Driver/Staff Data Processing Notice

 

4.1 Data We Collect

• Name, address, contact details

• Driving licence, right-to-work documents

• GPS location during shifts

• CCTV footage (if fitted)

• Incident/complaint records

• Payment and tax information

 

4.2 Lawful Bases

• Contract – driver engagement

• Legal Obligation – licensing, HMRC

• Legitimate Interests – safety monitoring, fraud prevention, complaint investigation

 

4.3 Retention

• Driver records: 6 years after contract end

• GPS logs: 3–12 months

• CCTV: 14–31 days

 

5. CCTV Sign Template (where fitted)

• CCTV in operation

• For the safety of passengers and drivers

• Images are recorded by Sea & Sky Luxury Transfers Ltd. under UK GDPR legitimate interests.

• Contact: office@seaskyluxurytransfers.com