DATA PROTECTION POLICY
2. COLLECTING YOUR PERSONAL DATA
- Through our Website when you register, login, commence or complete an online transaction to use our products and services.
- When you contact our reservations team to make a booking or use the facilities at any of our properties. Facilities include, but are not limited to, meeting rooms, Spa, bar and/or restaurant, function rooms, and guest Wi-Fi.
- When you have provided your consent, in order to:
- sign up to any of our loyalty programmes,
- subscribe to any of our marketing communications, complete customer surveys, enter competitions or provide feedback.
- When we do business with you, which will usually include:
- Full or partial contact details including names and addresses (including business details if you are making a corporate booking), telephone and email details.
- If you have special requirements, then it may also be necessary to collect details about diet or disability or any other preferences that you may have.
- Car parking arrangements at our properties may also make it necessary for us to collect your car registration number for your visit to us.
- We collect payment card information from you should you choose to use this form of payment for purchasing or guaranteeing use of our products and services.
- We may also collect your birthdate and other significant dates for making special offers to you around your birthday and other anniversaries.
- From our overseas guests we will also collect passport details.
- Through CCTV at our properties. We operate CCTV systems at our properties. These are in operation and video recordings may be made. This activity is carried out for security and service reasons for the better management of our properties and security for all clients and staff.
3. WHY DO WE PROCESS YOUR PERSONAL DATA?
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation. Where you have provided your consent.
For your convenience, we have made an overview of activities that involve the processing of your personal data:
- We store the personal data you provide to us in our systems for administrative purposes.
- Government regulations require us to ask you to provide us with certain information when you arrive at a The Hotel. This may include information such as: birth date, nationality, place of residence, date of arrival and profession.
- We will have to verify your identity when you arrive at a The Hotel. We will use your passport or other identification document. We will not store a copy of your passport, except to the extent permitted by law.
- We store your personal data in our database(s), also after your transaction has been completed and after you have stayed in one of our properties to the extent required by law, and if you have signed up a loyalty programme, to be able to contact you and welcome you again in the future.
- For many of our business purposes we use cloud based services. Therefore, for technical and organizational reasons, it is necessary that your personal data is transferred to servers located in the US, or to servers located in countries outside of the European Economic Area (‘EEA’).
- We process your booking, howsoever made directly via our website or via a third party (online) travel agent.
- We offer and provide services and products you request from us or which we may think you are interested in, via email, telephone or other media. These marketing communications contain commercial offers and news of The Hotel and The Operator and related third parties. If you sign up to receive newsletter, The Hotel and The Operator will use the email address you provide to send the newsletter to. If you no longer wish to receive the newsletter, you can unsubscribe and The Hotel and The Operator will no longer send you these marketing communications.
- We use credit card data or other payment data for invoicing purposes.
- If you would like to park in one of our parking areas we may collect your license plate number for security purposes.
- We collect data on your use of our Wi-Fi services for security and anti-piracy purposes (such as: IP address, your device’s MAC address, connections made, location, etc.). We do not process the content of traffic.
- We endeavour to provide a high level of security of both the information we store as well as our facilities, (IT) systems and premises, by means of encryption, physical security measures, passwords, company procedures and policies and professional IT support. Personal data may be processed in this context by The Hotel and The Operator as relevant and their respective vendors.
- We endeavour to prevent our services and facilities (properties) from being used for illegal purposes, of any kind. Personal data may be processed in this context by The Hotel as relevant and their respective vendors, such as through CCTV surveillance.
- We engage in activities required for compliance with legal obligations, third party claims or requests from public authorities, such as (i) the mandatory storage/containment of certain information because of a criminal investigation, (ii) requests from third parties for access to information (iii) any further instructions from third parties, such as supervisory authorities, that involve data processing.
- If you have special requirements then it may also be necessary to collect special categories of personal data in relation to diet or disability.
- you have provided your consent to us using the personal data
- our use of your personal data is necessary to perform our contract with you, for example, making and managing your booking and operating and providing services in connection with any loyalty programme we operate in accordance with the terms of our agreement with you
- our use of your personal data is necessary to meet responsibilities we have to our regulators, tax officials, law enforcement, or otherwise meet our legal responsibilities
- our use of your personal data is in our legitimate interest as a commercial organisation, for example to operate and improve our services and to keep people informed about our products and services – in these cases we will look after your information at all times in a way that is proportionate and respects your privacy rights and you have a right to object to processing as explained in Section 6 below.
If you would like to find out more about the legal basis for which we process personal data please contact either The Hotel or The Operator, using the details set out in Section 10 below. If you have provided your consent to our processing of your personal data you can also withdraw this consent at any time by contacting us.
4. SHARING YOUR DATA
We may share your personal data as follows:
- Third Parties Designated by You . We may share your personal data with third parties where you have provided your consent to do so.
- Our Third Party Service Providers . We may share your personal data with our third party service providers who provide services such as payment processing, information technology and related infrastructure provision, business support (operational and administrative), customer service, the processing and delivery of marketing communications to you, email delivery, auditing and other similar services. These third parties are only permitted to use your personal data to the extent necessary to enable them to provide their services to us. They are required to follow our express instructions and to comply with appropriate security measures to protect your personal data. Third parties are subject to confidentiality obligations and may only use your personal data to perform the necessary functions and not for other purposes.
- Affiliates . We may share some or all of your personal data with our affiliates, in which case we will require our affiliates to comply with this Privacy Statement. By way of example, you may let us share personal data with our affiliates where you wish to receive marketing communications from them.
- Corporate Restructuring . We may share personal data when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
- Other Disclosures . We may share personal data as we believe necessary or appropriate: (a) to comply with applicable laws; (b) to comply with lawful requests and legal process, including to respond to requests from public and government authorities to meet national security or law enforcement requirements; (c) to enforce our Privacy Statement; and (d) to protect our rights, privacy, safety or property, and/or that of you or others.
- We do not share your data with any third parties outside of the above processing arrangements and we do not share your data with any business external to our group for their own marketing purposes. From the data we collect, you should only ever receive marketing communications from our own brands and hotels.
5. INTERNATIONAL DATA TRANSFERS
In some instances it is necessary to transfer your personal data overseas. Any transfers will be made in full compliance with all aspects of the applicable regulations.
Both The Hotel and The Operator use cloud based services for many business services. Therefore, for technical and organizational reasons, it is necessary that your personal data is transferred to servers located in the US, or to servers located in countries outside of the EEA. When we transfer the data to a country outside of the EEA that does not offer an adequate level of data protection, we will ensure compliance with applicable law by way of EU Model Clauses, EU-US Privacy Shield-certification, or other legally accepted safeguards, as applicable. Any requests for information we receive from law enforcement or regulators will be carefully validated before personal data is disclosed. You have the right to find out more about the safeguards used where your personal data is transferred outside of the EEA. If you would like further information please contact either The Hotel or The Operator as relevant, using the details given in section 10 below.
6. YOUR RIGHTS
The GDPR provides the following rights for individuals:
Right to revoke consent
If we process personal data on the basis of your consent, you have the legal right to revoke such consent at any time. We will then cease the relevant processing activity going forward.
Right of access to your information
If you want to know what personal data we have collected or process about you, you may request us to provide a copy of your personal data by contacting either The Hotel or The Operator as relevant, using the details given in section 10 below. We will ask you to identify yourself. We will not provide you with a copy of your personal data to the extent that the rights and freedoms of others are or may be adversely affected.
Right to rectification and erasure of data, and restriction of processing
If you believe that our processing of your personal data is incorrect, inaccurate, unlawful, excessive, incomplete, no longer relevant, or if you think that your data is stored longer than necessary, you may ask us to change or remove such personal data or restrict such processing activity.
Right to data portability
You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format, in accordance with Article 20 of the General Data Protection Regulation.
Right to object
You have the legal right to object, on grounds relating to your particular personal situation, at any time to processing of your personal data which is based on our legitimate interests. Furthermore, you have the right to object at any time to our processing of your personal data for direct marketing purposes or to profiling. You can do this by either (i) opting out by using the option we provide in the relevant direct marketing message (e.g. an email newsletter), or (ii) by contacting either The Hotel or The Operator as relevant, using the details given in section 10 below.
For the sake of clarity: without prejudice to the foregoing we are at all times entitled to send you messages that do not constitute direct marketing, i.e. service messages.
General information relevant for all requests and queries
Nothing in this Privacy Statement is intended to provide you with rights beyond or in addition to your rights as a data subject under applicable mandatory data protection law.
We will use reasonable endeavours to respond to your request or query within one month. We are entitled to extend this term by another two months if the complexity of the situation so requires. If your request is manifestly unfounded or excessive we may either (i) charge you a fee, or (ii) refuse to process your request. With respect to access requests we may also charge you for extra copies. If we decide not to honour your request or answer your query, we will explain our reasons for doing so in our reply.
You can find out more and exercise any of your rights by contacting either The Hotel or The Operator as relevant, using the details given in section 10 below.
7. PROTECTION AND STORAGE OF YOUR DATA
We have used and will continue to use reasonable endeavours to protect your personal data against loss, alteration or any form of unlawful use. Where possible, your personal data will be encrypted and stored on a virtual private server that is secured by means of state of the art protection measures. A strictly limited amount of people have access to your personal data.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
9. RETENTION OF INFORMATION
We will only retain your personal data for the period necessary to fulfil the purposes outlined in this Privacy Statement. This may be up to 4 years, unless a longer retention period is required or permitted by law (which is typically the case in the context of our obligations under tax law). In some cases we keep transactional records (which may include your personal data) for longer periods if required or permitted by law or to meet regulatory, tax or accounting needs. Should you choose to unsubscribe from our mailing list, please note that your personal data may still be retained on our database to the extent permitted by law.