DATA PRIVACY & SECURITY POLICY
Effective Date: 1 July 11
Last Updated: 30 June 2020
You can find a Peninsula Hotel and/or restaurants or other goods and services operated and provided by the HSH
Group from the following websites online;
www.peninsulalondonproject.co.uk, www.peninsularesidences.london, www.hshgroup.com, www.quaillodge.com, www.therepulsebay.com, www.thepeak.com.hk, www.thelandmarkvietnam.com, www.thaicountryclub.com, and www.peninsulaboutique.com.
- Please note that our websites and the provision of our services are not intended for children and minors and we do not knowingly solicit or collect Personal Data from anyone under the age of 18, other than from a parent or legal guardian with consent. As a parent or legal guardian, please do not allow your children to submit Personal Data without your permission.
1 Personal Data we collect
- 1.1 We may collect and process the following Personal Data about you.
- (a) Personal information about you ► personal information that you provide to us, including your name, telephone number, email address and address (residential and/or delivery address);
- (b) Your payment information ► your payment information such as your credit card information (including credit card number, code and expiry date) and your bank account details;
- (c) Our correspondence ► if you contact us (whether by email, telephone or other means of communication) such as when you make enquiries, we may keep a record of that correspondence;
- (d) Social medial account information ► depending on your interactions with various social media platforms linked to us or with which we engage, we may process your profile names, photographs or publicly available posts;
- (e) CCTV images and recordings ► to ensure the security of our properties, we may have close circuit television systems installed which will take visual and/or aural recordings where appropriate and relevant, and we may keep recordings as permitted by applicable laws;
- (f) Survey information ► we may also ask you to complete surveys that we use for research purposes. In such circumstances we shall collect the information provided in the completed survey;
- (g) Your use of our website and mobile applications ► details of your visits to our website, mobile application and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access;
- (h) Do-not-track ► Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (DNT) mechanisms, we do not respond to web browser-based DNT signals at this time.
- For our hotel related services only (e.g. when you make a hotel or spa reservation, or purchase a gift certificate from us)
- (i) Your travel details and preferences ► we may collect information such as your travel details (including flight number, arrival and departure dates and time, country/point of origin and destination), your frequent flyer information, your travel partner information, preferences about room, food and beverages and treatment, service requests, information relating to your dietary, access or treatment requirements. We may also need to collect information as required by local laws such as passport numbers, type of entry visa, and driver’s license;
- (j) Your transactions with us ► we collect your itemised spending to properly assemble your folio during your stay, which includes your room rate and other expenses billed to your room.
- For non-hotel related services only (e.g. residential and commercial leasing, and operation of residential clubs and food and beverage outlets and transport)
- (k) Your transactions with us ► we may collect information such as identity card and passport details, tenancy particulars, employment particulars and club membership particulars.
- 1.2 We do not collect Personal Data when you apply for a Peninsula/American Express credit card. If you apply for a Peninsula/American Express credit card, you will be required to provide certain personal information as part of the credit card application process. We do not collect any of the personal information supplied to the American Express group of companies in connection with the Peninsula/American Express credit card application process. You can refer to American Express’ privacy statement posted on their website to understand how the information you supply will be used. American Express is the issuer of the credit card, and all terms and conditions of being a cardholder are dictated by American Express.
- 1.3 There are several ways by which we may collect your Personal Data from you: (i) we may collect your Personal Data from you directly by engaging with you, for example, when you make a direct booking on our website, or when you book or receive a service, or purchase a merchandising product in-person; and (ii) we may also collect Personal Data from third parties including agents and online service providers that make hotel, spa or restaurant reservations on your behalf, facilitate online payments or gift purchases or that are otherwise involved in the reservations process or delivering our services to you. Finally, (iii) we may also collect Personal Data from you through your activity on social media platforms that link to us such as Facebook fan pages or WeChat Official Account, or when you share content, photographs or follow us. Please note that any social media platform will also have their own privacy policies and processes to govern the processing of your Personal Data.
- Special Categories of Personal Data
- 1.5 “Special Categories of Personal Data” are a subset of Personal Data, and include Personal Data relating to your health, political opinions, religious beliefs, ethnicity and race, sex life, trade union membership and in some cases, criminal activity.
- 1.6 As a general rule, we do not process Special Categories of Personal Data. We may however process health/medical information in order to handle medical incidents and/or claims as per section 2.1(h) below. Where we process Special Categories to handle medical incidents, we do so in order to protect the vital interests of you or another person. Where we process Special Categories to handle claims, we do so on the basis of establishing, exercising or defending legal claims or whenever courts are acting in their judicial capacity.
- 1.7 In addition to section 1.6 above, we may process Special Categories of Personal Data in limited circumstances where you have provided such Special Categories of Personal Data including health/medical information (e.g. allergies, disabilities, dietary requirements) so that we can provide our services (e.g. spa treatments and meals) safely to you.
- 1.8 Where we process Special Categories of Personal Data mentioned in section 1.7 above, we will only do so where you have given us your explicit consent to do so. Where you are providing Special Categories of Personal Data about a travel partner, you agree that you have procured their consent to our processing of their Special Categories of Personal Data.
2 How we use Personal Data
- 2.1 We may use your Personal Data in the following ways.
- (a) To administer your reservations ► to process your reservation requests, which may be made via our website, mobile application, our Global Customer Service Centre (GCSC) or our third party service providers’ website and to confirm your booking. We may send a confirmation of your booking via email, SMS or other means and in the case of room reservations, a pre-arrival message summarising your confirmation details and preferences. In respect of hotel-related services, such pre-arrival message will include other information about the hotel, the area and the weather.
- Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide services to you);
- (b) To provide you with services ► to provide and charge for (i) hotel related services, including but not limited to accommodation, food and beverages and spa treatment, and to facilitate any special requests or assistance that you have asked for, and (ii) non-hotel services including residential club, tenant leasing and transport services.
- Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide services to you);
- (c) To complete your purchase ► to deliver your orders when you purchase a Peninsula gift certificate or merchandise.
- Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide services and products to you);
- (d) To customize our services and products to you ► to assure your future comfort and attention to your individual needs, we collect and store specific information about you, such as your food and beverage preferences and other special requests. For example, if you are a repeat guest at our hotels or restaurants or have filled out our food and beverage questionnaire, we may store your Personal Data in our system to serve you better upon your return.
- Use justification: legitimate interests (to allow us to provide customized services and products to you);
- (e) To provide marketing materials to you ► to provide you with updates, offers, and subscriptions where you have chosen to receive these, or connected with us via social media platforms, such as WeChat. With your consent, we may send you information about The Peninsula Hotels, the Peak Tram, and restaurants and residential clubs operated by our group companies, including news, offers and promotions about our hotels and arcades, food and beverage, spa, merchandise, branded residences, touristic services and special events by us or our arcade partners by different channels of communications such as by post, email, telephone or SMS. You may also see these offers, promotions and information on social media platforms through which you have connected with us. Please note that this is subject to the terms and conditions of use of the relevant social media platform. It is however our intention to only send you communications that you want to receive. When you opt-in to receiving promotional material either on a guest registration card or when you enrol in My Peninsula, or patronise our restaurants or sign up on our websites and provide your details to us specifically and expressly in order to receive marketing communications specified above, we will periodically contact you via your preferred channel(s). We typically use third party email service providers to send emails. These service providers are contractually prohibited from using your email address for any purpose other than to send emails related to the HSH Group operations and any organised special events. Personal Data will not be shared with third parties for their own marketing purposes. We provide you with the ability to unsubscribe from all marketing communications. Every time you receive an email, you will be provided with the choice to opt-out of future emails by following the instructions provided in the email. You may also opt-out of receiving promotional materials by updating your My Peninsula account, or contacting us as set out in section 7 below.
- Use justification: consent (which can be withdrawn at any time - please see section 5.1 below);
- (f) For analytics and profiling ► to tailor our marketing to you. In connection with our marketing activities, we analyse information that we collect about customers to determine what offers are most likely to be of interest to different categories of customers in different circumstances and at different times. To do this for hotel-related services, we combine Personal Data that we have collected about a customer from a Peninsula Hotel with Personal Data that we have collected from the same customer from another Peninsula Hotel. Such Personal Data include customer behavioural information such as transaction history, spending pattern, preferences, service requests and interactions with us. From time to time, we will assess the Personal Data that we hold about you. We may also use this method to avoid sending you offers that are inappropriate or unlikely to be of interest to you. You have the right to opt-out of such analysis of your Personal Data at any time. You can exercise this right by contacting us as set out in section 7 below.
- Use justification: consent (which can be withdrawn at any time - please see section 5.1 below); legitimate interests (to enable us to tailor our marketing to you);
- (g) To comply with our legal obligations and defend our legal rights ► to comply with our legal obligations such as financial reporting requirements imposed by our auditors and government authorities, to safeguard our legal rights including (without limitation) in relation to the defence of any claims and to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world where we are compelled to do so.
- Use justification: legal obligation, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities);
- (h) To handle incidents and process any claims we receive ► to handle any accidents and incidents such as liaising with emergency services, and to handle any claims made by customers such as personal injury claims. Please note that this may also require the processing of Special Categories of Personal Data – please see section 1.6 for further information about this.
- Use justification: vital interest (in relation to Special Categories of Personal Data), legal claims, legitimate interests (to ensure that incidents and accidents are handled appropriately and to allow us to assist our customers);
- (i) To improve our services and products ► to assist in developing new services and products and to improve our existing services and products.
- Use justification: legitimate interests (to allow us to continuously improve and develop our services);
- (j) To ensure our website and mobile application function correctly ► to ensure that content from our website and mobile applications is presented in the most effective manner for you and for your computer.
- Use justification: contract performance, legitimate interests (to allow us to provide you with the content and services on the Website); and
- (k) In connection with any reorganisation of our business ► to analyse, or enable the analysis of, any proposed sale or reorganisation of our business.
- Use justification: contract performance, legitimate interests (to allow us to continue providing services to you).
- In respect of hotel-related services only
- (l) To register you as a user ► to create your My Peninsula account. You can set up, review or update your My Peninsula information (including your Personal Data) online upon completing an online room reservation.
- Use justification: contract performance, legitimate interests (to allow us to on-board you as a user);
- 2.2 We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have.
3 How we share Personal Data
- 3.1 We may share your Personal Data in the following ways.
- (a) Third party service providers who process Personal Data on our behalf to help us undertake the activities described in section 2 ► We may permit selected third parties such as service providers, agents, contractors, entities which may be the hotel owner, and other HSH Group companies to use your Personal Data for the purposes set out in section 2, including mail houses and email service providers that we engage to send and disseminate promotional materials for the HSH Group, data centre providers that host our servers and third party agents that process mailing and purchases of gift cards on our behalf. These parties are contractually prohibited from using Personal Data for any purpose other than for the purpose specified in their respective contracts, and will be subject to obligations to process Personal Data in compliance with appropriate safeguards. We do not permit the sale of Personal Data to entities outside of the HSH Group for any use. For online payment processing, we work with PCI-DSS compliant payment processing gateway providers.
- Use justification: contract performance, legitimate interests (to allow us to effectively providing services to you and to run and manage our business);
- (b) Law enforcement agencies, government authorities, regulators and the court in order to comply with our legal obligations or to handle incidents/ claims► We may disclose your Personal Data when required by relevant laws or by court order, or as requested by other government or law enforcement authorities to assist with proceedings or investigations. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of an actual or suspected crime. This also applies when we have reason to believe that disclosing the Personal Data is necessary to obtain legal advice, to identify, investigate, protect, contact, or bring legal action against someone who may be causing interference with our guests, visitors, associates, rights or properties, or to others, whether intentionally or otherwise, or when anyone else could be harmed by such activities.
- Use justification: legal obligation, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities); and
- Use justification: contract performance, legitimate interests (to allow us to run and manage our business).
- Use justifications
- These are the principal legal grounds that justify our use of your Personal Data:
- Consent: where you have consented to our use of your Personal Data (you will have been presented with a consent form in relation to any such use).
- Contract performance: where your Personal Data is necessary to enter into or perform our contract with you.
- Legal obligation: where we need to use your Personal Data to comply with our legal obligations.
- Legitimate interests: where we use your Personal Data to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
- Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
- Vital interest: where we need to process your Personal Data to protect the vital interest of you or another natural person. e.g. where you require urgent assistance.
- These are the principal legal grounds that justify our use of your Special Categories of Personal Data:
- Explicit consent: You have given your explicit consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent by contacting us. Where you do so, we may be unable to provide a service that requires the use of such data.
- Protection of vital interests of you or another person, where you are unable to consent: Processing is necessary to protect the vital interests of you or of another natural person where you are physically or are legally incapable of giving consent.
4 How we transmit, protect and store Personal Data
- Security of communications
- 4.1 It is important to note that no security system or system of transmitting information over the internet can be guaranteed to be one hundred percent secure. There is a risk inherent in the submission of information online and the use of email and facsimile. Please be aware of this when requesting information or sending forms to us online or by email or facsimile, for example, from the “Contact Us” section. We recommend that you do not include any sensitive information including credit card details when submitting information online, using email, facsimile or when using any public computers/public WIFI.
- Security controls
- 4.2 We maintain commercially reasonable administrative, technical and physical safeguards designed to protect the Personal Data we maintain against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of personal information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of your information. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, , and we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions.
- 4.3 We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind firewalls designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations may put in place additional measures that vary depending on the applicable legal requirements.
- Personal Data transmission across international borders
- *Currently, guest data may be transferred to our headquarters in Hong Kong as well as other countries where we are present, including China, Japan, Vietnam, United Kingdom, United States of America, Thailand, the Philippines and France. We also use third party service providers which are located in countries such as United States of America and Australia to process mailing, certain online bookings and purchases of gift cards.
- 4.5 Your Personal Data may be accessed by staff or suppliers, transferred, and/or stored outside the European Economic Area (EEA) including to countries which may have a lower level of data protection than under EU data protection laws. We must comply with specific rules when we transfer Personal Data from inside the EEA to outside the EEA. When we do this, we will use appropriate safeguards to protect any Personal Data being transferred. Where required, we will transfer your Personal Data subject to European Commission approved contractual terms that impose different data protection obligations directly on the recipient. Please contact us as set out in section 7 below if you would like to see a copy of the specific safeguards we apply to the export of your Personal Data; these may be redacted to protect commercially sensitive or confidential information.
- 4.6 Your Personal Data will be stored for the period of time required or permitted by law in the jurisdiction of the operation holding the information (e.g. certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). So if information is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires.
- 4.7 Our retention periods are based on business needs and on the applicable statutory requirements.
5 Your rights
- Opt-out of marketing
- 5.1 You have the right to ask us not to process your Personal Data for marketing purposes at any time. You can exercise your right by checking certain boxes online or on the data collection forms, talking to us in person, or by contacting us as set out in section 7 below. If you opt out of receiving our marketing messages, where permitted by law, you may continue to receive other messages from us as required by the relationship between you and us
- Other rights
- 5.2 Subject to various exceptions and data protection laws in your country, you may have the following rights:
- (a) Access: you can ask us to provide you with further details on the use we make of your Personal Data and a copy of the Personal Data we hold about you;
- (b) Correction: you can ask us to correct any inaccuracies in the Personal Data we hold about you;
- (c) Complaint: if you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you may have the right to complain to the data protection authority in your country;
- (d) Erasure: you can ask us to delete your Personal Data if we no longer have a lawful ground for use;
- (e) Withdrawal of consent: where processing is based on consent (e.g. marketing, or certain uses of Special Categories of Personal Data), you can withdraw your consent to processing and we will stop that particular processing;
- (f) Object to processing: you have the right to object to other types of processing (e.g. analytics and profiling activities carried out in relation to your Personal Data), unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
- (g) Restriction: you can restrict how we use your Personal Data pending any investigation, for example, whilst we are verifying the accuracy of your Personal Data or where we are verifying the grounds that we use as the basis of holding your Personal Data;
- (h) Portability: where technically feasible, you have the right to ask us to transmit the Personal Data that you have provided to us to a third party in a structured, commonly used and machine readable form.
- Updating information
- 5.3 We will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your My Peninsula account or by contacting us as set out in section 7 below.
6 California and Nevada privacy rights
- 6.1 If you are a California resident, you have the right to ask us what information we have collected, used, disclosed and sold about you in the preceding 12 months. You also have the right to request us to delete the Personal Data we have collected from you. To exercise your rights, please contact us at one of the toll-free numbers listed below in section 6.4 or email us at email@example.com . We will verify your request by matching information you provide to us with information we already have about you. We will not discriminate against you because you have exercised any of your rights under the California Consumer Privacy Act (CCPA). You can designate someone else to make a request by having them execute a notarised power of attorney to act on your behalf. We will maintain a record of your CCPA rights requests.
- 6.2 Under California law we are required to tell California residents if we “sell” information as that term is defined by applicable law (i.e. sharing the Personal Data with a third party for monetary or other valuable consideration). We confirm to California residents that we do not do this based on our understanding of that term. We also do not have actual knowledge that we sell the Personal Data of minors under the age of 16.
- 6.3 In relation to our disclosure obligations in Nevada, we confirm that we do not exchange Nevada residents’ Personal Data for money with any person for such person to license or sell the Personal Data to additional persons. By emailing us at firstname.lastname@example.org, Nevada residents may opt out of the future sale of their Personal Data to a third party.
- 6.4 For our US properties, we have the following toll-free numbers available to make a request in relation to your Personal Data:
- (a) The Peninsula Beverly Hills: +1 800 462 7899
- (b) The Peninsula Chicago: +1 866 288 8889
- (c) The Peninsula New York: +1 800 262 9467
- (d) Quail Lodge & Golf Club: +1 866 6751101
7 Contacting us
- Data Privacy Team
The Hongkong and Shanghai Hotels, Limited
8/F St George’s Building
2 Ice House Street
Fax: +852 2147 3720
- Alternatively, you can contact our Representative in the European Union at:
Peninsula Paris Hotel Management SARL
Ref: “EU Representative”
c/oThe Peninsula Paris
19 avenue Kléber,
Paris, France, 75116
- Attention: Executive Office / HSH Management Services Limited
- Phone: +33 1 5812 2888
- Email: email@example.com
- 7.2 Please contact the Data Privacy Team (whose details are set out above in section 7.1) for the Data Protection Officer of HSH’s Singapore companies.
10 Other sites
- 10.1 The website or mobile application may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.