Destinations
Europe (148)
Italy (46) United Kingdom (21) Germany (20) France (14) Spain (11) Austria (7) Czech Republic (6) Switzerland (6) Greece (4) Netherlands (4) Finland (3) Ireland (3) Portugal (3) Slovakia (3) Hungary (2) Albania (1) Armenia (1) Belgium (1) Bulgaria (1) Croatia (1) Cyprus (1) Denmark (1) Estonia (1) Georgia (1) Malta (1) Norway (1) Poland (1) Romania (1) Bosnia and Herzegovina Iceland Latvia Lithuania Montenegro Serbia Sweden
Americas (6)
USA (3) Argentina (2) Chile (1) Peru (1) Bolivia Guatemala Mexico
Middle East & Central Asia (9)
Turkey (5) Uzbekistan (2) Jordan (1) Oman (1) Kyrgyzstan (1)
Asia (10)
Japan (5) India (3) Vietnam (2) Cambodia (1)
Africa (6)
Egypt (2) Morocco (2) Algeria (1) Tunisia (1)
Australasia
Australia
Themes
Architecture (88)
Art (78)
History (44)
Archaeology (32)
Music (26)
Gardens (14)
Historic Houses (11)
Gastronomy (8)
Walking (8)
Event types
Tours for small groups (161)
Single-centre tours (45)
Cruises (10)
Martin Randall Festivals (7)
Short Music & History events (1)
London Days (1)
Online talks
Calendars
Tour Calendar
Travel by month
Late Availability
Christmas & New Year tours (8)
Cultural tours in 2027

Data Processing Clauses

DEFINITIONS:

Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1. GENERAL

  1. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Schedule 1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
  2. The parties acknowledge that for the purposes of the Data Protection Legislation, MRT is the Data Controller and the DMC is the Data Processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Annex 1 sets out the scope, nature and purpose of processing by the DMC, the duration of the processing and the types of Personal Data and categories of Data Subject (where Personal Data and Data Subject have the meanings as defined in the Data Protection Legislation).
  3. The DMC shall, in relation to any Personal Data processed in connection with the performance by the DMC of its obligations under the Agreement, process that Personal Data only for the purposes of providing the Services and complying with its obligations under the Agreement.

 

1.SUB-PROCESSORS

  1. The DMC shall not permit any processing of Personal Data by any agent or subcontractor or other third party (“Sub-Processor”) without the prior written authorisation of MRT. 
  2. In the event MRT gives authorisation to the DMC for the appointment of a Sub-Processor in accordance with clause 2.1, such authorisation will always be contingent on and subject to the DMC entering into a written agreement with the Sub-Processor incorporating terms which are substantially similar to those set out in this Schedule 1.
  3. As between the parties, the DMC shall remain fully liable for all acts or omissions of any Sub-Processor appointed by it pursuant to this clause 2.

 

2. TECHNICAL & ORGANISATIONAL MEASURES

  1. The DMC shall, in relation to any Personal Data processed in connection with the performance by the DMC of its obligations under the Agreement ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data.
  2. Those measures may include, where appropriate:
    1. pseudonymising and encrypting Personal Data;
    2. ensuring confidentiality, integrity, availability and resilience of its systems and services;
    3. ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and
    4. regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it.
  3. The DMC shall provide to MRT at any time on request a detailed written description of such technical and organisational measures in place.

 

3. DMC PERSONNEL & SUB-PROCESSORS

  1. The DMC shall ensure that access to Personal Data is limited to its personnel and authorised Sub-Processors who need access to it to supply the Services, and that all personnel and authorised Sub-Processors are:
    1. informed of the confidential nature of the Personal Data and that they must not disclose the Personal Data;
    2. are subject to an enforceable obligation of confidence with regards to the Personal Data; and
    3. are assessed by the DMC or authorised Sub-Processor prior to any processing of the Personal Data to ensure their reliability, and that they receive training on data protection matters.
  2. As between the parties, the DMC shall remain fully liable for all acts or omissions of any personnel and authorised Sub-Processors.

 

4. TRANSFER OF DATA OUTSIDE THE UK

  1. The DMC may only process, or permit the processing, of Personal Data outside the UK under the following conditions:
    1. the DMC is processing Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The DMC must identify in Annex 1 the territory that is subject to such an adequacy finding; or
    2. the DMC participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the DMC (and, where appropriate, MRT) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR. The DMC must identify in Annex 1 the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the DMC must immediately inform MRT of any change to that status; or
    3. the transfer otherwise complies with the Data Protection Legislation for the reasons set out in Annex 1.

 

5. DESTRUCTION OF PERSONAL DATA

  1. The DMC shall on request at any time and on the expiry or termination of the Agreement, (at no cost to MRT) at MRT’s option either return all of the Personal Data, and copies of it in such format as MRT may require or securely dispose of the Personal Data, except to the extent that any applicable law requires the DMC to store such Personal Data and the DMC has promptly demonstrated their legal requirements to MRT.

 

6. NOTIFICATION OBLIGATIONS

  1. The DMC shall immediately (and in any event within 2 calendar days) fully notify MRT in writing if any Personal Data has been disclosed in breach of this Schedule or if it is lost, becomes corrupted, is damaged or is deleted in error.
  2. The DMC shall notify MRT immediately if it suspects or becomes aware of any actual, threatened or potential breach of security of Personal Data and any personal data breach (as defined in Data Protection Legislation) and shall ensure all such notices include full and complete details relating to such breach, in particular:
    1. the nature and facts of such breach including the categories and number of Personal Data records and, if applicable, Data Subjects concerned;
    2. the contact details of the data protection officer or other representative duly appointed by the DMC from whom MRT can obtain further information relating to such breach;
    3. the likely consequences or potential consequences of such breach; and
    4. the measures taken or proposed to be taken by the DMC to address such breach and to mitigate any possible adverse effects and the implementation dates for such measures.

 

7. ASSISTANCE TO MRT

  1. The DMC shall promptly provide such information and assistance (at no cost to MRT) as MRT may require in relation to any request from or on behalf of any Data Subject for access, rectification or erasure of their Personal Data, or any complaint, objection to processing, or other correspondence. In no event shall the DMC respond directly to any such request, complaint or correspondence without MRT’s prior written consent unless and to the extent required by law.
  2. The DMC shall promptly provide such information and assistance (at no cost to MRT) as MRT may require in relation to:
    1. MRT’s decision to undertake a data protection impact assessment where MRT considers (in its sole discretion) that the type of processing may result in a high risk to the rights and freedoms of Data Subjects;
    2. any approval of the Information Commissioner or other data protection supervisory authority to any processing of Personal Data, or any request, notice or investigation by such supervisory authority.
  3. The DMC shall permit MRT (and any of its authorised representatives) and the Information Commissioner (or its authorised representatives), at the DMC’s cost, access to any of the DMC’s premises, personnel, IT systems and relevant records as may be reasonably required by MRT upon reasonable notice at any time for the purposes of conducting an audit in order to verify the DMC’s compliance with this Schedule and Data Protection Legislation.
  4. The DMC shall, on demand, provide MRT and the Information Commissioner (and/or their authorised representatives) with all reasonable co-operation, access and assistance in relation to each audit.
  5. In the DMC’s reasonable opinion, to the extent that it believes that any instruction received by it is likely to infringe the Data Protection Legislation or any other applicable law, the DMC shall promptly inform MRT.

 

8. INDEMNITY

  1. The DMC shall indemnify MRT against: (i) all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, expenses, demands and legal and other professional costs (calculated on a full indemnity basis) arising out of or in connection with any breach by the DMC and/or any Sub-Processor (as applicable) of this Schedule including where the DMC’s breach then places MRT in breach or subject to regulatory action, which the parties agree is foreseeable and a direct loss; and (ii) all amounts paid or payable by MRT to a third party which would not have been paid or payable if the DMC’s breach of this Schedule had not occurred, including in both cases where the DMC’s breach then places MRT in breach or subject to regulatory action, which the parties agree is foreseeable and a direct loss.

 

Description of Processing

The processing of personal data is as follows

  • MRT is a tour operator and provider of holidays to customers in the UK and worldwide.
  • The DMC is a supplier of travel arrangements needed for the provision of the holiday to the customer.

Data subjects

The personal data concern the following categories of data subjects (please specify):

  • Customers;

  •  

Purposes of the processing

The processing is necessary for the following purposes (please specify):

  • For the delivery of the holiday (provision (where applicable) of accommodation, food, excursions, transport etc.) 

Categories of data

The personal data processed fall within the following categories of data (please specify):

  • Customer name, address, date of birth;
  • Passport details (if/where applicable)
  • Travel insurance provider (if/where applicable)

Sensitive data (if appropriate)

The personal data processed fall within the following categories of sensitive data (please specify):

  • Dietary requirements (if/where applicable)     
  • Medical requirements/health conditions (if/where applicable).

Instructions with regards to the processing of personal data:

The DMC shall process the Personal Data only in accordance with the instructions of MRT.

Image

Destinations

Useful links

Our company

Legal

Martin Randall Australia Pty Ltd
5 Moorak Street
Taringa
QLD 4068
Australia

Image

Martin Randall Australia Pty Ltd
5 Moorak Street
Taringa
QLD 4068
Australia

American Express Mastercard Visa

© 2026 Martin Randall Travel

Image

My Wishlist

Wishlist

Click the heart icon on any event to save it to your wishlist.

Browse our tours.
You Might Be In The Wrong Region

Would you like to switch to the United States site?

Go to United States Site