Data Privacy and Security Policy
Last Updated: 11 December 2023
This Data Privacy and Security Policy (“Privacy Policy”) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (“HSH Group”, “we” or “us”) collects, stores and handles “Personal Data” (i.e., any personal information that can be used to identify a living individual), which we may collect:
- through websites operated by us from which you are accessing this Privacy Policy, including hshgroup.com, peninsula.com and other websites owned or controlled by the HSH Group (“Websites”);
- through software applications (including automated tools and chat functionalities) made available by us for use on or through computers and mobile devices (“Apps”);
- through email messages that we send you that link to this Privacy Policy and through your communications with us online or in person;
- from third parties or other sources such as public databases, marketing partners, and other third parties; and
- when you visit or stay as a guest or tenant at one of our properties or through other offline interactions (“Guest Interactions”).
Collectively, we refer to our Websites, the Apps, and Guest Interactions as our “Services”.
You may get the list of relevant companies within the HSH Group by clicking here.
This Privacy Policy is intended to ensure you can make informed decisions about providing your Personal Data when purchasing our products, using our Services, communicating with us and exercising shareholder’s rights. For any comments or queries, please contact us in accordance with Section 5 (Contacting us) below. You can click here to find our Websites and social media pages, where you may search for a Peninsula Hotel and/or restaurant or other goods and services that we operate or provide.
Please note that our Services are not intended for Minors. By “Minors”, we mean: (i) users under the age of 18 years old; or (ii) in the case of a region where the minimum age for processing Personal Data differs, such different age. We do not knowingly solicit or collect Personal Data from Minors for any purpose unless such information are voluntarily provided or consented by a parent or a legal guardian. If you believe that we have Personal Data of a Minor without lawful consent, or if you are the parent or guardian of the user of a relevant Minor and wish to withdraw consent, please contact us in accordance with Section 5 (Contacting us) below. For more information about how we collect, process, and protect Personal Data of Minors, please refer to Minors’ Privacy Policy. If you are a parent or a legal guardian of a Minor, please read the Minors’ Privacy Policy before sharing any Minor’s Personal Data with us.
By providing Personal Data to us, you agree to the processing and use set out in this Privacy Policy and have obtained corresponding authorisation (if required). If you do not agree to the processing of Personal Data in the way this Privacy Policy describes, please do not provide such data and stop using the Services.
We have organised and composed the Privacy Policy by major processes and scope of information processing so that you can easily browse the information of most interest to you.
- How we collect and use Personal Data
- How we share Personal Data
- How we transmit, protect, and store Personal Data
- Your rights
- Contacting us
- Cookies
- Changes to the Privacy Policy
- Other Sites
Annex I: Local Specific Provisions – California
Annex II: Local Specific Provisions – China
1 |
How we collect and use Personal Data |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1.1 |
This section provides more detail on the types of Personal Data we
collect from you, and why. It also identifies the legal basis under
which we process the relevant Personal Data, to the extent this is
required by applicable laws.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1.2 | In general, we may use the Personal Data set out above to assure your future comfort and attention to your individual needs, and/or assist in developing new services and products and to improve our existing services and products. It is in our legitimate interest to continuously improve and develop our Services. In addition, we may use the above information to comply with our legal obligations, to safeguard our legal rights including (without limitation) in relation to the defence of any claims, and to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world. We are obliged to meet our legal obligations, and it is in our legitimate interest to safeguard our legal rights. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1.3 |
There are several ways by which we may collect your Personal Data from
you:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1.4 | If you provide us with Personal Data about other individuals (e.g., family members or travel companions), regardless of whether you are travelling together, you must obtain such individuals’ authorisation or consent to provide us with their details and let them know where they can find a copy of this Privacy Policy. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1.5 | We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have. |
3 |
How we transmit, protect, and store Personal Data |
Security of communications | |
3.1 | We take commercially reasonable administrative (e.g., information security and access policies), technical, and physical safeguards designed to protect the Personal Data that we possess. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of Personal Data. We cannot guarantee the security of your Personal Data transmitted through the Services or otherwise via the Internet – any transmission is at your own risk. Unauthorised entry or use, hardware or software failure, and other factors may also compromise the security of your information. Further, while we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and to the extent legally permissible, we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions. |
3.2 | We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind various measures such as firewalls, authentication, access control, integrity protection, encryption and anti-virus tools designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations will put in place additional measures that may be different depending on the applicable legal and regulatory requirements. |
International Personal Data transfers | |
3.3 | As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in Beijing, Shanghai, Paris, New York, Tokyo, etc. To achieve this goal, we have established a global network comprised of properties, offices, trusted service providers and associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other Group companies, properties, centres of operations, data centres, or service providers that may be domiciled in countries outside of your own for the purposes mentioned in this Privacy Policy. Currently, personal data may be transferred to our headquarters in Hong Kong as well as other countries or regions where we are present or have data servers, including mainland China, Singapore, Japan, Vietnam, United Kingdom, United States of America, Thailand, Turkey, the Philippines, and France. The relevant countries or jurisdictions for the purposes of any such cross-border Personal Data transfer will depend on your location. |
3.4 | For customers located in relevant jurisdictions, including without limitation the EEA or the UK, transfers between our affiliates in the HSH Group and to third parties use applicable safeguards, such as incorporating standard contractual clauses, obtaining your consent or taking into account adequacy assessments. |
Storage of Personal Data | |
3.5 | Your Personal Data will be stored for the period of time required to fulfil the relevant purpose described in Section 1 (How we collect and use Personal Data) above unless otherwise required or permitted by law. If information is used for two purposes, we will retain it until both purposes have been fulfilled, but we will stop using it for a purpose once that purpose is fulfilled. |
4 |
Your rights |
4.1 | Some jurisdictions’ laws grant specific rights to users of the Services. Please refer to the Local Specific Provisions (set out in the relevant annexes to this Privacy Policy), or the applicable laws in your jurisdiction, for an overview of specific rights that may apply to persons subject to data protection laws in the listed jurisdictions and how these can be exercised. |
4.2 |
Subject to Section 4.1 above, you may enjoy certain rights in relation
to your Personal Data that we hold. Some of these rights only apply in
certain circumstances (as set out in more detail below). If you wish
to exercise any of these rights, please reach out to us in accordance
with
Section 5 (Contacting us)
below and we will handle your request in line with the applicable law
and regulations.
|
4.3 | Where we act as a data processor, you should contact the data controller to exercise any of your rights. |
4.4 | Notwithstanding the foregoing, we may from time to time send you announcements when we consider it necessary to do so (for example, when we need to inform you about maintenance, security or safety matters at our properties). These are essential system and Service-related announcements, and you are not able to opt-out of these notifications, which are not promotional in nature. |
Updating information | |
4.5 | We will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your account in “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge” (where applicable) or by contacting us in accordance with Section 5 (Contacting us) below. |
5 |
Contacting us |
5.1 |
If you have any questions about this Privacy Policy or our processing
of your Personal Data, or otherwise want to exercise any rights you
may have, please contact us at: Data Privacy Team The Hongkong and Shanghai Hotels, Limited 8/F St George’s Building 2 Ice House Street Central, Hong Kong SAR Phone: +852 2926 2888 Email: privacy@peninsula.com |
5.2 |
You can also reach out to our representatives for data protection
purposes as follows: Representative in the European Union at: Peninsula Paris Hotel Management SARL Ref: “EU Representative” c/o The Peninsula Paris 19 avenue Kléber, Paris, France, 75116 Attention: Executive Office / HSH Management Services Limited Phone: +33 1 5812 2888 Email: privacy@peninsula.com Representative in the United Kingdom at: Peninsula London Limited (Acting as general partner on behalf of Peninsula London, LP) Ref: UK Representative” c/o The Peninsula London 1 Grosvenor Place, London SW1 7HJ, United Kingdom Attention: Executive Office / HSH Management Services Limited Phone: +44 20 3959 2888 Email: privacy@peninsula.com Representative in Thailand at: Siam Chaophraya Holdings Company Limited Ref: Thailand Representative” c/o The Peninsula Bangkok 333/1 Charoennakorn Road, Klongton-Sai, Klongsan, Bangkok 10600, Thailand Attention: Executive Office / HSH Management Services Limited Phone: +66 2 020 2888 Email: privacy@peninsula.com Representative in Türkiye at: PIT İstanbul Otel İşletmeciliği Anonim Şirketi Ref: Türkiye Representative” c/o The Peninsula Istanbul Karaköy, Kemankeş Karamustafapaşa Mahallesi, Kemankeş Caddesi No:34, 34425 Beyoğlu, Istanbul, Türkiye Attention: Executive Office / HSH Management Services Limited Phone: +90 212 931 2888 Email: privacy@peninsula.com |
5.3 | We will endeavour to deal with your request within a reasonable time. This is without prejudice to any right you may have to launch a claim with a data protection authority in the region in which you live or work where you think we have infringed data protection laws. |
7 |
Changes to the Privacy Policy |
7.1 | In the future, we may need to make changes to this Privacy Policy. All changes will be included in the latest Privacy Policy published on our Websites or Apps, so that you will always understand our current practices with respect to the Personal Data. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. If required by the applicable laws and regulations, we will notify you of any major changes to this Privacy Policy. Unless otherwise required by the applicable laws and regulations, you will be deemed to have accepted and agreed the revised Privacy Policy then in effect by visiting our websites or using our services after such changes. |
8 |
Other sites and languages |
8.1 | Our Websites or Apps may contain links to other third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you provide any personal information to such third-party websites. |
8.2 | Except as otherwise prescribed by law or as expressly set out, in the event of any discrepancy or inconsistency between the English version and local language version of this Privacy Policy, the English version shall prevail. |
Annex I: Local Specific Provisions – California |
|
1. |
Scope and application This section applies to California residents covered by the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, “CCPA”). For the purposes of this section, “personal information” and “sensitive personal information” have the meanings given in the CCPA and do not include information excluded from the CCPA’s scope. |
2. |
Collection and disclosure of personal information Over the past 12 months, we have collected, and disclosed for a business purpose, the following categories of personal information from or about you or your device:
We disclose each of the categories of personal information that we collect to the following types of entities:
In addition, we do not use or disclose sensitive personal information for purposes other than to perform the services reasonably expected by an average consumer who requests those services. |
3. |
Retention of your personal information The retention period varies for the different categories of data collected. For more information about the retention period, please see Section 3 (How we transmit, protect, and store Personal Data) above. |
4. |
Rights under the CCPA If you are a California resident and the CCPA does not recognise an exception that applies to you or your personal information, you have the right to:
|
5. |
How to exercise your rights If you are a California resident to whom the CCPA applies, you may also exercise your rights, if any, regarding other data by contacting us in accordance with Section 5 (Contacting us) above. We may take steps to verify your identity before complying with your request to protect your privacy and security, and may decline your request if we are unable to verify your identity. To verify your identity, we may need the following information from you: your first name, last name, address, phone number, date of birth and email address. Under the CCPA, you may exercise these rights yourself or you may also designate an authorised agent to make these requests on your behalf. In order for us to process the request, you must provide the authorised agent with signed written permission. We reserve the right to require the agent to verify their own identity and to confirm directly with you that you have provided the authorised agent permission to submit the request. |
6. |
Contacting us If you have questions or concerns regarding this Privacy Policy, please contact us in accordance with Section 5 (Contacting us) above. Additionally, for our US properties, we have the following toll-free numbers available for you to make a request in relation to your Personal Data to us:
|
Annex II: Local Specific Provisions – ChinaWe have prepared this Annex II in accordance with the Personal Information Protection Law of the People's Republic of China ("PIPL") for residents of the People’s Republic of China (which, for the purpose of the Annex II of this Privacy Policy only, excluding Hong Kong SAR, Macao SAR and Taiwan, “China”) and individuals who are in China. In case of any conflict between this Annex II and the main text of this Privacy Policy, this Annex II shall prevail. |
||||||||||||||||||||||||||||||||||||||||||||||
1. |
To whom we share Personal Data As set out in Section 2 (How we share Personal Data) above, where permitted by the applicable laws and regulations, we may share your Personal Data with our affiliates, service providers, agents, contractors, and other business partners when and if it is necessary to do so. You may find a list of our affiliates to which we share your Personal Data and to know their details by clicking here. In addition, you may contact our Data Privacy Team in accordance with Section 5 (Contacting us) above to obtain information of our business partners and to whom we share your Personal Data. |
|||||||||||||||||||||||||||||||||||||||||||||
2. |
Software Development Kits (SDK) Provided by Third Parties To provide you with a better service experience, our websites or online channels may contain SDK from third-party providers to whom we may share your Personal Data when you use our Services. You may find details of these SDKs and their operators below:
|
|||||||||||||||||||||||||||||||||||||||||||||
3. |
Personal Data transmission across international borders In principle, the Personal Data that is generated or collected by us in China will be stored in China. However, to process your reservation and payment and to provide with you our Services, we may need to transfer your Personal Data outside of China. Data protection laws in these countries or regions may be different from those in China and the level of protection to your Personal Data may vary accordingly. If your Personal Data is transferred outside of China, we will take appropriate protective measures as required by the laws and regulations in China, including, as appropriate, carrying out personal data protection impact assessments, obtaining necessary certification from the competent authorities, conducting security assessment by qualified third-party institutes, and/or signing the standard contractual clauses issued by the Cyberspace Administration of China with overseas recipients. |
|||||||||||||||||||||||||||||||||||||||||||||
4. |
Special protection of Minors’ Personal Data Please note that our websites and our products and services are not intended for Minors (i.e., persons under the age of 18) unless expressly stated in the relevant descriptions. We do not knowingly solicit or collect Personal Data of Minors. To ensure that guardians of Minors can make informed decisions regarding provision of Minors’ Personal Data when purchasing and using products and services provided by us, we have published the Minors’ Privacy Policy to explain how we collect, store, use, transfer or disclose the Minors’ Personal Data. If you are a Minor’s guardian, please read and understand the Minors’ Privacy Policy. |
|||||||||||||||||||||||||||||||||||||||||||||
5. |
Contacting us In addition to contacting us in accordance with Section 5 (Contacting us) above, you may contact our data protection officers in China as follows: Data Protection Officer in China The Palace Hotel Ltd. 8 Goldfish Lane, Wangfujing, Beijing The Peninsula Beijing Phone: +86 10 8516 2888 Email: privacy@peninsula.com The Peninsula Shanghai Waitan Hotel Company Limited No. 32, The Bund 32 Zhongshan Dong Yi Road, Shanghai The Peninsula Shanghai Phone: +86 21 2327 2888 Email: privacy@peninsula.com Peninsula Merchandising (Shenzhen) Company Limited D16, F/8, Block B, Aerospace Science and Technology Plaza, 3rd Street of Haide, Nanshan District, Shenzhen Phone: +86 0755 2657 9989 Email: privacy@peninsula.com Please allow 15 business days for us to process any data access requests. Where the request involves complex information gathering, we will advise you of the additional time needed to process your request. |