Data Privacy and Security Policy
This Data Privacy and Security Policy (“Privacy Policy”) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (“HSH Group”, “we” or “us”) collects, stores and handles your Personal Data (i.e., any personal data that can be used to identify you as an individual). You may get the list of companies with the HSH Group by clicking here.
In this Privacy Policy, “The Hongkong and Shanghai Hotels, Limited”, “HSH Group” or “we” refers to the entity responsible for processing your Personal Data, usually the entity collecting your Personal Data (e.g., the operator of the website collecting your Personal Data).
This Privacy Policy is intended to ensure you can make informed decisions about providing Personal Data relating to you when purchasing our products, using our services, communicating with us and exercising shareholder’s rights. For any comments or queries, please contact us as set out in section 6 “Contacting us” and relevant annexes. You can click here to find our websites and social media pages, where you may search for a Peninsula Hotel and/or restaurant or other goods and services that we operate or provide.
Please note that our websites, products, and services are not intended for any minors under the age of 18 (“Minors”), unless expressly stated in the description of the related product or service. We do not knowingly solicit or collect Personal Data from Minors, unless such information are voluntarily provided or consented by a parent or a legal guardian. As a parent or a legal guardian, please do not allow Minors under your custody to provide their Personal Data to us without your permission. For more information about how we collect, process, and protect Personal Data of Minors, please refer to Minors’ Privacy Policy. If you are a parent or a legal guardian of a Minor, please read and choose whether to agree with the Minors’ Privacy Policy before sharing any Minor’s Personal Data with us.
By providing Personal Data to us, you agree to the processing and use set out in this Privacy Policy and have obtained corresponding authorisation (if required). If the Personal Data that you provide will be used for other purposes, we will provide you with the necessary information and corresponding protection measures with respect to these additional purposes in accordance with the applicable laws and regulations.
This Privacy Policy contains general information and technical details about the steps we take to respect your privacy concerns. We have organised and composed the Privacy Policy by major processes and scope of information processing so that you can easily browse the information of most interest to you.
- Personal Data we collect
- How we use Personal Data
- How we share Personal Data
- How we transmit, protect, and store Personal Data
- Your rights
- Contacting us
- Cookies
- Changes to the Privacy Policy
- Other Sites
Annex I: Local Specific Provisions – for residents in California and Nevada
Annex II: Local Specific Provisions – for individuals in China
2 |
How we use Personal Data |
2.1 | We may use your Personal Data for the following purposes.
Please note that the use of your Personal Data under the applicable laws governing this Privacy Policy must be based on at least one of a number of legal “grounds” and we have set out the grounds in respect of each use in this Privacy Policy. An explanation of the scope of the grounds available can be found here.
Applicable to hotel-related services only Applicable to hotel-related and non-hotel related services Applicable to communication with shareholders, investors, potential investors and analysts only Applicable for shareholders to exercise the rights only |
2.2 | We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have. |
3 |
How we share Personal Data |
||||||||
3.1 | We may share your Personal Data with the following parties.
|
||||||||
3.2 | This Privacy Policy does not apply to third party providers (e.g., airlines, online travel agents, car rental companies, table booking websites) who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable third-party provider’s privacy policy before providing your personal information.
Use Justifications These are the principal legal grounds that justify our use of your Personal Data:
These are the principal legal grounds that justify our use of your Special Categories of Personal Data:
|
4 |
How we transmit, protect and store Personal Data |
Security of communications | |
4.1 | It is important to note that transmitting information over security system or the internet cannot be guaranteed to be one hundred percent secure. There is a risk inherent in the submission of information online and the use of email and facsimile. Please be aware of this when requesting information or sending forms to us online or by email or facsimile, for example, from the “Contacting us” section. We recommend that you do not include any sensitive information including credit card details when submitting information online, using email, facsimile or when using any public computers/public WIFI. |
Security controls | |
4.2 | We take commercially reasonable administrative, technical, and physical safeguards designed to protect the Personal Data that we possess against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of Personal Data. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of your information. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions. |
4.3 | We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind various measures such as firewalls, authentication, access control, integrity protection, encryption and anti-virus tools designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations will put in place additional measures that may be different depending on the applicable legal and regulatory requirements. |
Personal Data transmission across international borders | |
4.4 | As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in Beijing, Shanghai, Paris, New York, Tokyo, etc. To achieve this goal, we have established a global network comprised of properties, offices, GCSC, data centres, trusted service providers, and trained associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other group companies, properties, centres of operations, data centres, or service providers that may be domiciled in countries outside of your own* for the purposes mentioned in this Privacy Policy. Although the data protection and other laws of these various countries may not be as comprehensive as those in your own country, the HSH Group will take appropriate measures, including contractual clauses, to secure the transfer of your Personal Data to recipients (which may be internal or external to the HSH group) located in a country with a level of protection different from the one existing in the country in which your Personal Data is collected.
*Currently, guest data may be transferred to our headquarters in Hong Kong as well as other countries or regions where we are present, including mainland China, Japan, Vietnam, United Kingdom, United States of America, Thailand, Turkey, the Philippines, and France. We also use third party service providers in countries such as United States of America and Australia to process mailing, certain online bookings, and purchases of gift cards. |
4.5 | Special information for EU residents: your Personal Data may be accessed by staff or suppliers, transferred, and/or stored outside the European Economic Area (EEA) including to countries which may have a lower level of data protection than under EU data protection laws. We must comply with specific rules when we transfer Personal Data from inside the EEA to outside the EEA. When we do this, we will use appropriate safeguards to protect any Personal Data being transferred. Where required, we will transfer your Personal Data subject to European Commission approved contractual terms that impose different data protection obligations directly on the recipient. Please contact us as set out in the Section 6 below if you would like to see a copy of the specific safeguards we apply to the export of your Personal Data; these may be redacted to protect commercially sensitive or confidential information |
4.6 | Your Personal Data will be stored for the period of time required or permitted by law in the jurisdiction of the operation holding the information (e.g., certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or to comply with regulatory requirements regarding the retention of such data). Hence, if information is used for two purposes, we will retain it until the purpose with the latest period expires, but we will stop using it for the purpose with a shorter period once that period expires. |
4.7 | Our retention periods are based on business needs and on the applicable statutory requirements. |
6 |
Contacting Us |
6.1 | If you have any questions about this Privacy Policy or our processing of your Personal Data, please contact us at:
Data Privacy Team The Hongkong and Shanghai Hotels, Limited Alternatively, you can contact our Representative in the European Union at: c/o The Peninsula Paris Attention: Executive Office / HSH Management Services Limited Or our Representative in the United Kingdom at: Peninsula London Limited c/o The Peninsula London Pre-Opening Office Attention: Executive Office / HSH Management Services Limited |
7 |
Cookies |
7.1 | Our websites use cookies to distinguish you from other users of the relevant website. This helps us provide you with a good experience when you browse our websites and also allows us to improve our websites. For detailed information on the cookies that we use and the purposes for which we use them, please refer to our Cookies Policy. |
8 |
Changes to the Privacy Policy |
8.1 | In the future, we may need to make changes to this Privacy Policy. All changes will be included in the latest Privacy Policy published on our websites or mobile application, so that you will always understand our current practices with respect to the Personal Data we collect, how we may use and disclosures to third parties of these Personal Data. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. If required by the applicable laws and regulations, we will notify you of any major changes to this Privacy Policy, which include but not limited to, major changes to the purpose of processing your Personal Data, the types of the Personal Data we collect and how we use the Personal Data, as well as major changes to your rights over Personal Data and the way how you can exercise such rights. Unless otherwise required by the applicable laws and regulations, you will be deemed to have accepted and agreed the revised Privacy Policy then in effect by visiting our websites or using our services after such changes. |
9 |
Other Sites |
9.1 | The website or mobile application may contain links to other third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you provide any personal information to such third-party websites. |
Annex I: Local Specific Provisions – for residents in California and Nevada |
|
If you are a California resident, you have the right to ask us what information we have collected, used, disclosed, and sold about you in the preceding 12 months. You also have the right to request us to delete the Personal Data we have collected from you. Please contact us via one of the toll-free numbers listed below or email us at privacy@peninsula.com to exercise your rights. We will verify your request by matching information you provide to us with information we already have about you. We will not discriminate against you because you have exercised any of your rights under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). You can designate someone else to make a request by having them execute a notarised power of attorney to act on your behalf. We will maintain a record of your CCPA and CPRA rights requests.
Under California law we are required to tell California residents if we “sell” information as that term is defined by applicable law (i.e., sharing the Personal Data with a third party for monetary or other valuable consideration). We confirm to California residents that we do not do this based on our understanding of that term. We also do not have actual knowledge that we sell the Personal Data of Minors under the age of 16. In relation to our disclosure obligations in Nevada, we confirm that we do not exchange Nevada residents’ Personal Data for money with any person for such person to license or sell the Personal Data to additional persons. By emailing us at privacy@peninsula.com, Nevada residents may opt out of the future sale of your Personal Data to a third party. For our US properties, we have the following toll-free numbers available for you to make a request in relation to your Personal Data to us:
|
Annex II: Local Specific Provisions – for individuals in China |
||||||||||||||||||||||||||||||||||||
We make this Annex II in accordance with the Personal Information Protection Law of the People’s Republic of China (“PIPL”) for residents of the People’s Republic of China (for the purpose of the Annex II of this Privacy Policy only, it does not include Hong Kong SAR, Macao SAR and Taiwan district, hereinafter referred to as “China”) and individuals who are in China. In case of any conflict between this Annex II and the main text of this Privacy Policy, Annex II shall prevail.
|
Effective Date: 1 July 2011
Last Updated: 5 April 2023