Stobo Castle Health Spa Limited (“Stobo Castle”)

Privacy & Fair Processing Notice

Stobo Castle strives to protect the privacy of all personally identifiable information collected during the course of our activities and it is important for you to know how we process your data.  We will process your personal information under the terms of this policy and in accordance with any agreement with you.

We are a “data controller” in terms under data protection law (including from 25 May 2018, the EU General Data Protection Regulation 2016 and the Data Protection Act 2018) (“Data Protection Laws”).

We need to process personal data relating to our past, present and future guests, suppliers, contractors, gym members and spa users in order to function effectively as a business, ensure good governance, for audit purposes, to perform our business and to enable us to meet our legal obligations as an employer.

Personal data is processed for commercial, administrative, statutory, health and safety and marketing/promotion purposes. All such personal data is collected and held in accordance with all applicable Data Protection Laws.

What personal information will Stobo Castle use?


This list includes all the ways we may use your personal information, and which of the reasons we rely on to do so. This is where we tell you what our legitimate interests are.

Personal Information We May Process:Our Reasons for ProcessingOur Legitimate Interests

•         supplier contact’s name

·         address

·         supplier contact’s work email                address

·         supplier contact’s work                            telephone number

·         Our legitimate interests·         To keep in contact with                          suppliers

·         Administering our business

Guests (including spa users and gym members)

·         Name

·         addresses

·         email addresses

·         telephone numbers

·         purchase history

·         correspondence history

·         video and image (if filmed on               CCTV)

·         medical/health information

·         guest preferences

·         car registration numbers

·         Fulfilling contracts

·         Our legitimate interests

·         To protect and defend our                legal rights


·         To keep past and future guests            updated with new services and            products

·         To investigate guest                                complaints in order to                            maintain and improve our                   quality of service

·         To ensure safety of  users of                  the whole Stobo Castle complex

·         To return lost property

·         To tailor treatments based on              guest’s medical history


Potential Customers/People interested in our services

·         Names

·         Addresses

·         email addresses

·         telephone numbers

·         purchase history

·         correspondence history

·         guest preferences

·         car registrations

·         health and medical information

·         Fulfilling contracts

·         Our legitimate interests

·         Consent

·         To send marketing                                  information to potential                        customers in compliance with              any applicable laws relating to            marketing.

·         Tailor treatments based on                  guest’s medical history and as              a   defence in the event of any             claims.


Where do we obtain your information?


In most cases we will obtain this information from you directly.

From time to time a guest may provide us with your personal data if they consider that you may be interested in the services Stobo Castle has to offer. If this has occurred, we may send you marketing or promotional materials in the post.


Processing Conditions


We process the personal data referred to above for the purposes of any contract or potential contract with our past, present and future guests, suppliers, contractors, gym members and spa users; or for our legitimate interests in order to function effectively as a business, to ensure good governance, for audit purposes, to perform our business activities; and to enable us to meet our legal obligations that we may be subject to as an employer.

Who do we share your information with?

The information you provide to us may be accessed by our staff, our auditors, our professional advisors and carefully selected third parties in the course of providing services to us under suitable obligations of confidentiality.

We may also use information in aggregate, where personally identifiable information is removed, for marketing and strategic development to improve and support our activities.


We employ administrative, electronic and physical security measures to ensure that the information that we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.

Please be aware that unfortunately the transmission of information via the internet or by email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of the data transmitted to us and any transmission is at your own risk.

The period for which the personal data will be processed

We will retain personal data securely and only in line with how long it is necessary to keep for the purposes or for a legitimate and lawful reason.

Our typical retention periods are as follows:

Type Of Personal DataRetention Period
Supplier contracts and documentation containing supplier personal data7 years from the end of the contract with each supplier
Personal data within promotional and marketing databases7 years from the date of the data subject actively responded to marketing or promotional correspondence, providing the data subject has opted out of the mailing list
CCTV images and videos2 weeks from the date the footage was taken
Gym Membership information7 years from the date of leaving
Forms which guests complete before, during and after a stay3 years from the date the guest visited Stobo Castle
Lost property records2 Full years
Guest name, contract details and information relating to their visit7 years from the date the guest visited Stobo Castle
Online voucher and shop orders7 years from the date the order was taken
Job Applicant information (including CVs)6 months after the post has been filled
Employee/contractor information7 years after their employment or engagement ceases, and some employee information for 7 years after cessation of employment.

Some personal data may be retained for longer where it is in our legitimate interest to do so, such as to protect and defend our legal rights; or for research, archiving or statistical purposes.  Individuals can request that other information relating to them be erased and we will deal with such requests in accordance with the law.

Transfers outside the European Economic Area


We, or carefully selected third parties that we contract with, may send personal data to countries outside the European Economic Area (‘EEA’). If and when this occurs, there will be protections in place to ensure the recipient protects the data to the same standard as the EEA. The protections include:

transferring to a non-EEA country with privacy laws that give the same protection as the EEA.

putting in place a contract with the recipient that means they must protect personal data to the same standards as the EEA.

transfer personal data to organisations in the USA that are part of Privacy Shield. This is a framework that sets privacy standards for personal data sent between the US and EU countries which makes sure standards are similar to what is used within the EEA.

Data subject’s rights

As an individual, you have the following rights as a data subject under applicable Data Protection Laws in relation to the processing of your personal data:

The right to request from us access to information held about you

The right to request that inaccurate data held about you is rectified

The right to request the erasure of personal data

The right to restriction of processing

The right to object to processing, and

The right to data portability.

For more information and guidance about any of these rights please go to the website of the Information Commissioner’s Office at


If you think there is an issue in the way in which we handle your personal data, you have a right to raise a complaint with the Information Commissioner’s Office. Their website contains details of how to make a complaint.


Changes to this Privacy & Fair Processing Notice

We keep our Privacy & Fair Processing Notice under regular review and reserve the right to update and amend it.  This notice was last updated in June 2018.

Further information

For further information about the proposed data sharing set out in this notice, or about any aspect of the Stobo Castle is processing of your personal data, please contact the reservations department at the following email address,