Data Privacy and Security Policy

This Data Privacy and Security Policy (“Privacy Policy”) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (“HSH Group”, “we” or “us”) collects, stores and handles your Personal Data (i.e., any personal data that can be used to identify you as an individual). You may get the list of companies with the HSH Group by clicking here.

In this Privacy Policy, “The Hongkong and Shanghai Hotels, Limited”, “HSH Group” or “we” refers to the entity responsible for processing your Personal Data, usually the entity collecting your Personal Data (e.g., the operator of the website collecting your Personal Data).

This Privacy Policy is intended to ensure you can make informed decisions about providing Personal Data relating to you when purchasing our products, using our services, communicating with us and exercising shareholder’s rights. For any comments or queries, please contact us as set out in section 6 “Contacting us” and relevant annexes. You can click here to find our websites and social media pages, where you may search for a Peninsula Hotel and/or restaurant or other goods and services that we operate or provide.

Please note that our websites, products, and services are not intended for any minors under the age of 18 (“Minors”), unless expressly stated in the description of the related product or service. We do not knowingly solicit or collect Personal Data from Minors, unless such information are voluntarily provided or consented by a parent or a legal guardian. As a parent or a legal guardian, please do not allow Minors under your custody to provide their Personal Data to us without your permission. For more information about how we collect, process, and protect Personal Data of Minors, please refer to Minors’ Privacy Policy. If you are a parent or a legal guardian of a Minor, please read and choose whether to agree with the Minors’ Privacy Policy before sharing any Minor’s Personal Data with us.

By providing Personal Data to us, you agree to the processing and use set out in this Privacy Policy and have obtained corresponding authorisation (if required). If the Personal Data that you provide will be used for other purposes, we will provide you with the necessary information and corresponding protection measures with respect to these additional purposes in accordance with the applicable laws and regulations.

This Privacy Policy contains general information and technical details about the steps we take to respect your privacy concerns. We have organised and composed the Privacy Policy by major processes and scope of information processing so that you can easily browse the information of most interest to you.

  1. Personal Data we collect
  2. How we use Personal Data
  3. How we share Personal Data
  4. How we transmit, protect, and store Personal Data
  5. Your rights
  6. Contacting us
  7. Cookies
  8. Changes to the Privacy Policy
  9. Other Sites

Annex I: Local Specific Provisions – for residents in California and Nevada
Annex II: Local Specific Provisions – for individuals in China

1

Personal Data we collect
1.1 We may collect and process the following Personal Data about you.

  1. Personal information about you ► personal information that you provide to us, or that we obtain from public channels, including your name, language preference, telephone number, email address and (residential and/or delivery) address and records of your trading history with us;
  2. Registration information of accounts with us ► username and password that you provide to us for registering an account of “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge”;
  3. Your payment information ► your payment information such as your credit card information (including credit card number, code and expiry date) and your bank account details;
  4. Our correspondence ► if you contact us, via email, telephone or other means of communication, for any purpose (e.g., making enquiries to us before or after a transaction with us), we may keep the correspondence in record;
  5. Social media account information ► depending on your interactions with various social media platforms linked to us or with which we engage, we may process your profile names, account ID, photographs, posts, etc. that are publicly available;
  6. CCTV images and recordings ► to ensure the security of our properties, we may have close circuit television systems installed which will take visual and/or aural recordings where appropriate and relevant, and we may keep recordings as permitted by applicable laws;
  7. Survey information ► we may also ask you to complete surveys that we use for research purposes. In such circumstances we shall collect the information provided in the completed survey;
  8. Your use of our website and mobile applications ► details of your visits to our website, mobile application and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access;
  9. Do-not-track ► Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (DNT) mechanisms, we do not respond to web browser-based DNT signals at this time.

    10. For our hotel related services only (e.g., when you make a hotel or spa reservation, purchase a gift certificate from us, or enjoy customised concierge services to be provided via Mobile PenKey Concierge)

  10. Your travel details and preferences ► we may collect information such as your travel details (including flight number, arrival and departure dates and time, country/region of origin and destination), your frequent flyer information, your travel partner’s information (including accompanying family members, partners or friends), employment information (applicable to group reservation), preferences for room, food and beverages and treatment, internet access, and services (including important dates or anniversaries). We may also need collect information as required by local laws such as the number of identity card or passport, type of entry visa, driver’s license, date and place of birth, gender, title, nationality, etc.;
  11. Your transactions with us ► we collect your itemised spending to properly assemble your folio during your stay, which includes your room rate and other expenses billed to your room.
  12. Your requests for customised concierge services ► we may collect your information via Mobile PenKey Concierge to provide customised services according to your requests, such as your drivers’ license number for renting a car for you and other information to provide lifestyle experiences and sourcing services for goods, foods, entertainments, etc., to you.

    13. For non-hotel related services only (e.g., residential and commercial leasing, and operation of residential clubs and provision of food and beverages, banquet and transport services)

  13. Your requests for related services ► we may collect certain information to satisfy your requests for related services: license plate number (applicable to residential and commercial leasing), co-habitant or visitor (applicable to residential leasing), food and beverages preferences and requests (applicable to provision of food and beverages services), itinerary and activity arrangement (applicable to provision of banquet or transport services), etc.
  14. Your transactions with us ► we may collect information such as details of identity card and passport and particulars of tenancy, employment and club membership.

    15. For communication with shareholders, investors, potential investors and analysts and for verifying shareholders’ identity only (e.g., sharing with you our financial information, announcements and press release and inviting you to our presentations and/or to exercise your shareholder’s rights)

  15. Your requests for related information and exercising shareholders’ rights ► we may collect and store certain information if you submit to us voluntarily: your full name, email address and addresses, percentage of share and vote, phone number, employer and other Personal Data strictly in connection with the investment and, if appropriate, copy of your identification document, for us to communicate with you and/or to verify your identity as our shareholder. We also use any Personal Data that the Hong Kong Share Registrar of The Hongkong and Shanghai Hotels, Limited (currently, Computershare Hong Kong Investor Services Limited) already hold about you.
1.2 We do not collect Personal Data when you apply for a Peninsula/American Express credit card. If you apply for a Peninsula/American Express credit card, you will be required to provide certain personal information as part of the credit card application process. We do not collect any of your personal information supplied to the card issuer in this process. You can refer to American Express’ privacy statement posted on their website to understand how the information you supply will be used. American Express is the issuer of the credit card, and all terms and conditions of being a cardholder are dictated by American Express.
1.3 There are several ways by which we may collect your Personal Data from you: (i) we may collect your Personal Data from you directly by engaging with you, for example, when you make a direct booking on our website, or when you book or purchase our service or product in-person; and (ii) we may also collect Personal Data from third parties including agents and online service providers that make hotel, spa or restaurant reservations on your behalf, facilitate online payments or gift purchases or that are otherwise involved in the reservations process or delivering our services to you; finally, (iii) we may also collect Personal Data from you through your activity on social media platforms that link to us such as Facebook fan pages or WeChat Official Account, or when you share content, photographs or follow us. Please note that these social media platforms will have their own privacy policies and procedures governing the processing of your Personal Data.
1.4 If you provide us with Personal Data about other individuals (e.g., family members or travel companions), regardless of whether you are travelling together, you must obtain such individuals’ authorisation or consent to provide us with their details and let them know where they can find a copy of this Privacy Policy.
Special Categories of Personal Data
1.5 Under certain circumstances, the Personal Data that you provide, or we collect, may be deemed as a “Special Category of Personal Data” in accordance with the privacy laws and regulations in some countries/regions. Leakage or illegal use of the Special Categories of Personal Data may cause harm or detriment to your reputation, health, body, or property. Special Categories of Personal Data are a subset of Personal Data, including but not limited to, information relating to your health, political opinions, religious beliefs, ethnicity and race, special identity, whereabouts, financial account, sex life, trade union membership and (under certain circumstance) Personal Data related to criminal records, as well as Personal Data of any children at or under the age of 14.
1.6 As a general rule, we do not process the Special Categories of Personal Data. However, under certain circumstances, we may process the Special Categories of Personal Data, such as health/medical information in order to handle accidents, medical service needs and/or claims according to the Section 2.1(h) below. Where we process the Special Categories of Personal Data to handle the foregoing incidents, we do so to protect the vital interests of you or other people. Where we process the Special Categories of Personal Data to handle claims, we do so for establishing, exercising or defending legal claims or whenever courts are acting in their jurisdiction.
1.7 In addition to the Section 1.6 above, we may process the Special Categories of Personal Data only for special purpose and under necessary circumstances where you have provided them to us, including health/medical information (e.g., allergies, physical challenges, dietary requirements) so that we can provide our services (e.g., spa treatments and food & beverage) safely to you, and will take strict protective measures in accordance with applicable laws.
1.8 According to the applicable laws, we will only collect, process, or disclose the Special Categories of Personal Data as set out in the Section 1.7 above where we have obtained your explicit consents and are required to do so. Where you are providing any Special Category of Personal Data of your travel companion, you acknowledge that you have procured their consent for us to collect, process, and disclose their Personal Data.

2

How we use Personal Data
2.1 We may use your Personal Data for the following purposes.

Please note that the use of your Personal Data under the applicable laws governing this Privacy Policy must be based on at least one of a number of legal “grounds” and we have set out the grounds in respect of each use in this Privacy Policy. An explanation of the scope of the grounds available can be found here.

  1. To administer your reservations ► to process your reservation requests, which may be made via our website, mobile application, our Global Customer Service Centre (GCSC) or our third-party service providers’ website and to confirm your booking. We may send a confirmation of your booking via email, SMS, or other means and a pre-arrival message summarising your reservation details, preferences and information about the hotel, the surroundings, and the weather in the case of room reservations.
    Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide services to you);
  2. To provide you with services and information ► to provide and charge for (i) hotel related services, including but not limited to accommodation, food and beverages and spa treatment, and to facilitate any special requests or assistance that you have asked for, and (ii) non-hotel services and information including residential club, banquet events, commercial and residential leasing, concierge and transport services and information as per request of shareholders, investors and analysts.
    Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide services to you);
  3. To complete your purchase ► to complete your orders when you purchase a Peninsula gift certificate, pre-paid card or merchandise.
    Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide services and products to you);
  4. To customise our services and products to you ► to assure your future comfort and attention to your individual needs, we collect and store specific information about you, such as your food and beverages preferences and other special requests. For example, if you are a repeat guest of our hotels or restaurants or have filled out our food and beverages questionnaire, we may store your Personal Data in our system to serve you better upon your return.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), legitimate interests (to allow us to provide customised services and products to you);
  5. To provide marketing materials to you ► to provide you with updates, offers, and subscriptions where you have chosen to receive these, or connected with us via social media platforms, such as WeChat. With your consent, we may send you information about The Peninsula Hotels, the Peak Tram, and restaurants and residential clubs operated by our group companies, including news, offers and promotions about our hotels and arcades, food and beverages, spa, merchandise, branded residences, touristic services and special events by us or our arcade partners via different channels of communications such as by post, email, telephone, or SMS. You may also see these offers, promotions, and information on social media platforms through which you have connected with us. Please note that this is subject to the terms and conditions of use of the relevant social media platform. We will send you communications that you want to receive and via the method you select. When you opt-in to receiving promotional material either on a guest registration card or when you register an account of “My Peninsula” or “Peninsula Perfect Companion”, patronise our restaurants, sign up on our websites, or communicate with us in other occasions online and offline and provide your details to us specifically and expressly in order to receive marketing communications specified above, we will periodically contact you via your preferred channel(s). We typically use third party email service providers to send emails. These service providers are contractually prohibited from using your email address for any purpose other than to send emails related to the HSH Group operations and any organised special events. Your Personal Data will not be shared with third parties for their own marketing purposes. You may unsubscribe from all marketing communications at any time you want. Every time you receive an email, you will be provided with the choice to opt-out of future emails by following the instructions provided in the email. You may also opt-out of receiving promotional materials at any time by updating your “My Peninsula” or “Peninsula Perfect Companion” account or contacting us as set out in the Section 6 below and relevant annexes.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below);
  6. For analytics and profiling ► to tailor our marketing communication to you. In connection with our marketing activities, we analyse information that we collect about customers to determine what offers are most likely to be of interest to different categories of customers in different circumstances and at different times. To do this for hotel-related services, we combine Personal Data that we have collected about a customer from a Peninsula Hotel with Personal Data that we have collected from the same customer from another Peninsula Hotel. Such Personal Data include customer behavioural information such as transaction history, spending pattern, preferences, service requests and interactions with us. From time to time, we will assess the Personal Data that we hold about you, where can also help us avoid sending you offers that are inappropriate or unlikely to be of interest to you. You have the right and may exercise it at any time to opt-out of such analysis of your Personal Data by contacting us as set out in the Section 6 below and relevant annexes.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), legitimate interests (to enable us to tailor our marketing communication to you);
  7. To comply with our legal obligations and defend our legal rights ► to comply with our legal obligations such as financial reporting requirements imposed by our auditors and government authorities, to safeguard our legal rights including (without limitation) in relation to the defence of any claims, and to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world where we are compelled to do so.
    Use justification: legal obligation, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities);
  8. To handle accidents and medical service requests and process any claims we receive ► to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers such as personal injury claims. Please note that this may also require to process the Special Categories of Personal Data – please see section 1.6 for further information about this.
    Use justification: vital interest (in relation to the Special Categories of Personal Data), legal claims, legitimate interests (to ensure that incidents and accidents will be handled appropriately and to allow us to assist our customers);
  9. To improve our services and products ► to assist in developing new services and products and to improve our existing services and products.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), legitimate interests (to allow us to continuously improve and develop our services);
  10. To ensure our website and mobile application function correctly ► to ensure that content from our website and mobile applications is presented in the most effective manner for you and for your computer.
    Use justification: contract performance, legitimate interests (to allow us to provide you with the content and services on the Website); and
  11. In connection with any reorganisation of our business ► to analyse, or enable the analysis of, any proposed sale or reorganisation of our business.
    Use justification: contract performance, legitimate interests (to allow us to continue providing services to you).

    12. Applicable to hotel-related services only

  12. To register you as a user ► to create your My Peninsula account. You can create, review, or update your information in My Peninsula account (including your Personal Data) online upon completing an online room reservation.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), legitimate interests (to allow us to register a user account for you).

    13. Applicable to hotel-related and non-hotel related services

  13. To enjoy digitalised intelligent customer services ► to join the program of “Peninsula Perfect Companion” to enjoy our digitalised intelligent customer services. You can create, review, or update your information in the mini program “Peninsula Perfect Companion / 半岛臻伴” (including your Personal Data and preferences) on WeChat.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), contract performance, legitimate interests (to allow us to register a user account for you)
  14. To enjoy exclusive concierge services ► to enrol in the program of “Mobile PenKey Concierge” to enjoy exclusive lifestyle services provided by us. You can create, review, or update your information in “Mobile PenKey Concierge” (including your Personal Data and preferences).
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), contract performance, legitimate interests (to allow us to register a user account for you)
  15. To provide investment-related services to you ► to notify you from time to time of the release dates of the company’s financial information and/or to send you email alerts about the links to company announcements, company press releases, invitation to company investor presentations or media briefings via webcasts or other live streaming of digital meeting formats and/or other information which investors may find relevant.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), legitimate interests (to enable us to perform our obligations and provide services to you)

    16. Applicable to communication with shareholders, investors, potential investors and analysts only

  16. To complete an investor or media registration form ► to apply to receive notifications of the release dates of our financial information, email alerts about (and links to) our announcements, press releases, invitations to our investor presentations or media briefings (including via webcasts or other live streaming or digital meeting formats) and/or certain other information.
  17. To register for webcast and participating in Q&A session ► to register to participate in a company webcast or other live streaming or digital meeting format, including of shareholder meetings or results presentations and to participate in an associated Q&A session.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), legitimate interests (to enable us to perform our obligations and provide services to you)

    18. Applicable for shareholders to exercise the rights only

  18. To complete various investor relations processes ► for example, to complete shareholder proxy voting forms, to enable you to attend, participate in, and exercise your shareholder rights during and including asking questions at our shareholder meetings.
    Use justification: consent (which can be withdrawn at any time – please see section 5.2(e) below), legitimate interests (to enable us to perform our obligations and provide services to you)
2.2 We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have.

3

How we share Personal Data
3.1 We may share your Personal Data with the following parties.

  1. Affiliates ► to provide you with services and ensure the consistency of service standard and business management, we may share your Personal Data with the affiliates in HSH Group. We only share necessary Personal Data when we are required to do so. Our affiliates have signed intra-group data sharing agreements and undertake to be governed by this Privacy Policy when handling Personal Data. If an affiliate needs to change the handling purpose of Personal Data, your consent will be obtained again. You may find a list of our affiliates by clicking here.
    Use justification: contract performance, legitimate interests (to allow us to effectively provide services to you and conduct operation and management);
  2. Third party service providers who process Personal Data on our behalf to help us undertake the activities described in the Section 2 ► We may permit selected third parties such as service providers, agents, contractors, entities which may be the hotel owner, and other HSH Group companies to use your Personal Data for the purposes set out in the Section 2, including:
    1. Specialised agents helping us to provide advertisements and promotional campaigns and events and analyse their effectiveness, to manage your communications and questions to us, to maintain the relationship with you, to provide personalised services for you, and to send marketing communications to you with your consent in advance;
    2. Third party vendors helping us to deliver products to you, such as post offices and couriers;
    3. Payment service providers and credit reporters helping us to assess your credit score, to verify your information (if and when this is required for signing certain contracts) and to process your online payment;
    4. Third party vendors helping us to provide customer or concierge services and customer care;
    5. Travel agencies, firms or companies helping us to provide training, seminars, banquets, events, personalized experience services;
    6. Consulting firms helping us to manage client relationship and to provide reports and analysis of market research and customer surveys.

    Use justification: contract performance, legitimate interests (to allow us to effectively provide services to you and to run and manage our business);

  3. Law enforcement agencies, government authorities, regulators, and the court to comply with our legal obligations or to handle incidents/ claims ► We may disclose your Personal Data when required by relevant laws or by court order or requested by other government or law enforcement authorities to assist with proceedings or investigations. Where permitted, we will direct any such request to you or notify you before responding unless doing so would prejudice the prevention or detection of an actual or suspected crime. This also applies when we have reason to believe that disclosing the Personal Data is necessary to obtain legal advice and/or to identify, investigate, protect, contact, or bring legal action against someone who may intentionally or unintentionally cause interference with or damage to our guests, visitors, associates, properties, or others.
    Use justification: legal obligation, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities); and
  4. Third parties who require such data in connection with a change in the structure of our business ► In the event that we (or a part thereof) are (i) subject to negotiations for the sale of our business or (ii) sold to a third party or (iii) undergo a reorganisation, any of your Personal Data which we hold may be transferred to that re-organised entity or third party and used for the same purposes as set out in this Privacy Policy, or for the purpose of analysing any proposed sale or re-organisation. We will ensure that no more of your Personal Data is transferred than necessary.
    Use justification: contract performance, legitimate interests (to allow us to run and manage our business).
3.2 This Privacy Policy does not apply to third party providers (e.g., airlines, online travel agents, car rental companies, table booking websites) who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable third-party provider’s privacy policy before providing your personal information.

Use Justifications


We note the grounds we use to justify each use of your Personal Data next to the use in the How we use Personal Data and How we share Personal Data sections of this Privacy Policy.

These are the principal legal grounds that justify our use of your Personal Data:

Consent: where you have consented to our use of your Personal Data (we will obtain your oral or written consent in relation to any such use).
Contract performance: where your Personal Data is necessary to enter into or perform our contract with you.
Legal obligation: where we need to use your Personal Data to comply with our legal obligations.
Legitimate interests: to the extent permitted by applicable laws and regulations, where we use your Personal Data to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
Vital interest: where we need to process your Personal Data to protect the vital interest of you or another natural person, e.g., where you require urgent assistance.

These are the principal legal grounds that justify our use of your Special Categories of Personal Data:

Explicit consent: You have given your explicit consent for us to process those Personal Data for one or more specified purposes. In some cases, in accordance with applicable laws, we will also seek your separate consent. You are free to withdraw your consent by contacting us. Where you do so, we may be unable to provide a service that requires the use of such data.
Protection of vital interests of you or other people, where you are unable to give us consent: processing is necessary to protect the vital interests of you or of another natural person where you are physically or are legally incapable of giving consent.

4

How we transmit, protect and store Personal Data
Security of communications
4.1 It is important to note that transmitting information over security system or the internet cannot be guaranteed to be one hundred percent secure. There is a risk inherent in the submission of information online and the use of email and facsimile. Please be aware of this when requesting information or sending forms to us online or by email or facsimile, for example, from the “Contacting us” section. We recommend that you do not include any sensitive information including credit card details when submitting information online, using email, facsimile or when using any public computers/public WIFI.
Security controls
4.2 We take commercially reasonable administrative, technical, and physical safeguards designed to protect the Personal Data that we possess against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of Personal Data. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of your information. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions.
4.3 We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind various measures such as firewalls, authentication, access control, integrity protection, encryption and anti-virus tools designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations will put in place additional measures that may be different depending on the applicable legal and regulatory requirements.
Personal Data transmission across international borders
4.4 As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in Beijing, Shanghai, Paris, New York, Tokyo, etc. To achieve this goal, we have established a global network comprised of properties, offices, GCSC, data centres, trusted service providers, and trained associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other group companies, properties, centres of operations, data centres, or service providers that may be domiciled in countries outside of your own* for the purposes mentioned in this Privacy Policy. Although the data protection and other laws of these various countries may not be as comprehensive as those in your own country, the HSH Group will take appropriate measures, including contractual clauses, to secure the transfer of your Personal Data to recipients (which may be internal or external to the HSH group) located in a country with a level of protection different from the one existing in the country in which your Personal Data is collected.

*Currently, guest data may be transferred to our headquarters in Hong Kong as well as other countries or regions where we are present, including mainland China, Japan, Vietnam, United Kingdom, United States of America, Thailand, Turkey, the Philippines, and France. We also use third party service providers in countries such as United States of America and Australia to process mailing, certain online bookings, and purchases of gift cards.
4.5 Special information for EU residents: your Personal Data may be accessed by staff or suppliers, transferred, and/or stored outside the European Economic Area (EEA) including to countries which may have a lower level of data protection than under EU data protection laws. We must comply with specific rules when we transfer Personal Data from inside the EEA to outside the EEA. When we do this, we will use appropriate safeguards to protect any Personal Data being transferred. Where required, we will transfer your Personal Data subject to European Commission approved contractual terms that impose different data protection obligations directly on the recipient. Please contact us as set out in the Section 6 below if you would like to see a copy of the specific safeguards we apply to the export of your Personal Data; these may be redacted to protect commercially sensitive or confidential information
4.6 Your Personal Data will be stored for the period of time required or permitted by law in the jurisdiction of the operation holding the information (e.g., certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or to comply with regulatory requirements regarding the retention of such data). Hence, if information is used for two purposes, we will retain it until the purpose with the latest period expires, but we will stop using it for the purpose with a shorter period once that period expires.
4.7 Our retention periods are based on business needs and on the applicable statutory requirements.

5

Your rights
Opt-out of marketing
5.1 You have the right to ask us not to process your Personal Data for marketing purposes at any time. You can exercise your right by checking certain boxes online or on the data collection forms, by talking to us in person, or by contacting us via the manner as set out in the Section 6 below and relevant annexes. If you opt out of receiving our marketing messages, where permitted by the applicable laws, you may continue to receive other messages from us as required by the relationship between you and us.
Other rights
5.2 Subject to various exceptions and applicable data protection laws in your country, you may enjoy the following rights and exercise them by contacting us via the manners as set out in the Section 6 below and relevant annexes:

  1. Access: you can ask us to provide you with further details on the use we make of your Personal Data and a copy of the Personal Data we hold about you;
  2. Correction: you can ask us to correct any inaccuracies in the Personal Data we hold about you;
  3. Complaint: if you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you may have the right to complain to the data protection authority in your country;
  4. Erasure: you can ask us to delete your Personal Data if we no longer have a lawful ground for use, unless other requirements specified by applicable laws and regulations;
  5. Withdrawal of consent: where processing is based on consent (e.g., marketing, or certain uses of the Special Categories of Personal Data), you can withdraw your consent to our processing, and we will stop that particular processing;
  6. Object to processing: you have the right to object to other types of processing (e.g., analytics and profiling activities carried out in relation to your Personal Data), unless our reasons for such processing outweigh any prejudice to your data protection rights;
  7. Restriction: you can restrict how we use your Personal Data pending any investigation, e.g., whilst we are verifying the accuracy of your Personal Data or where we are verifying the grounds that we use as the basis of holding your Personal Data;
  8. Portability: where technically feasible and permitted by applicable laws, you have the right to ask us to export the Personal Data that you have provided to us to a third party in a structured, commonly used and machine-readable form.
  9. Cancellation of your account: you have the right to cancel your account with us. Please note that you cannot use all or part of the functions and services after account cancellation. We will delete your Personal Data within a reasonable time limit.
  10. Refusal of automated decision: for providing you with personalised contents and customised advertising recommendations, we may process the Personal Data that we collect through big data analysis, algorithms, and other inartificial automated decision-making technologies to make decisions (such as corporate sales and marketing information). Should you do not wish us to use such technologies or to process your Personal Data in such ways, or you have any question about the results of automated decision and believe that the results of automated decision are wrong causing adverse effects on you during the course of processing, or you intend to close the display of personalised contents, you may contact us via the manners as set out in the Section 6 below and relevant annexes, and we will provide you with the way to close it or other appropriate reliefs.
Updating information
5.3 We will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your account in “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge” by contacting us via the manners as set out in the Section 6 below and relevant annexes.
5.4 Inform of security events: in case of any rare data security event, we will inform you of the disclosure of your Personal Data in accordance with the relevant laws and regulations.

6

Contacting Us
6.1 If you have any questions about this Privacy Policy or our processing of your Personal Data, please contact us at:

Data Privacy Team

The Hongkong and Shanghai Hotels, Limited
8/F St George’s Building
2 Ice House Street
Central, Hong Kong SAR
Phone: +852 2926 2888
Email: privacy@peninsula.com

Alternatively, you can contact our Representative in the European Union at:
Peninsula Paris Hotel Management SARL
Ref: “EU Representative”

c/o The Peninsula Paris
19 avenue Kléber,
Paris, France, 75116

Attention: Executive Office / HSH Management Services Limited
Phone: +33 1 5812 2888
Email: privacy@peninsula.com

Or our Representative in the United Kingdom at:

Peninsula London Limited
(Acting as general partner on behalf of Peninsula London, LP)
Ref: “UK Representative

c/o The Peninsula London Pre-Opening Office
First Floor, Interpark House,
Down Street, London W1J 7AJ, United Kingdom

Attention: Executive Office / HSH Management Services Limited
Phone: +44 20 8106 2888
Email: privacy@peninsula.com

7

Cookies
7.1 Our websites use cookies to distinguish you from other users of the relevant website. This helps us provide you with a good experience when you browse our websites and also allows us to improve our websites. For detailed information on the cookies that we use and the purposes for which we use them, please refer to our Cookies Policy.

8

Changes to the Privacy Policy
8.1 In the future, we may need to make changes to this Privacy Policy. All changes will be included in the latest Privacy Policy published on our websites or mobile application, so that you will always understand our current practices with respect to the Personal Data we collect, how we may use and disclosures to third parties of these Personal Data. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. If required by the applicable laws and regulations, we will notify you of any major changes to this Privacy Policy, which include but not limited to, major changes to the purpose of processing your Personal Data, the types of the Personal Data we collect and how we use the Personal Data, as well as major changes to your rights over Personal Data and the way how you can exercise such rights. Unless otherwise required by the applicable laws and regulations, you will be deemed to have accepted and agreed the revised Privacy Policy then in effect by visiting our websites or using our services after such changes.

9

Other Sites
9.1 The website or mobile application may contain links to other third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you provide any personal information to such third-party websites.

Annex I: Local Specific Provisions – for residents in California and Nevada
If you are a California resident, you have the right to ask us what information we have collected, used, disclosed, and sold about you in the preceding 12 months. You also have the right to request us to delete the Personal Data we have collected from you. Please contact us via one of the toll-free numbers listed below or email us at privacy@peninsula.com to exercise your rights. We will verify your request by matching information you provide to us with information we already have about you. We will not discriminate against you because you have exercised any of your rights under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). You can designate someone else to make a request by having them execute a notarised power of attorney to act on your behalf. We will maintain a record of your CCPA and CPRA rights requests.

Under California law we are required to tell California residents if we “sell” information as that term is defined by applicable law (i.e., sharing the Personal Data with a third party for monetary or other valuable consideration). We confirm to California residents that we do not do this based on our understanding of that term. We also do not have actual knowledge that we sell the Personal Data of Minors under the age of 16.

In relation to our disclosure obligations in Nevada, we confirm that we do not exchange Nevada residents’ Personal Data for money with any person for such person to license or sell the Personal Data to additional persons. By emailing us at privacy@peninsula.com, Nevada residents may opt out of the future sale of your Personal Data to a third party.

For our US properties, we have the following toll-free numbers available for you to make a request in relation to your Personal Data to us:

  1. The Peninsula Beverly Hills: +1 800 462 7899
  2. The Peninsula Chicago: +1 866 288 8889
  3. The Peninsula New York: +1 800 262 9467
  4. Quail Lodge & Golf Club: +1 866 675 1101

Annex II: Local Specific Provisions – for individuals in China
We make this Annex II in accordance with the Personal Information Protection Law of the People’s Republic of China (“PIPL”) for residents of the People’s Republic of China (for the purpose of the Annex II of this Privacy Policy only, it does not include Hong Kong SAR, Macao SAR and Taiwan district, hereinafter referred to as “China”) and individuals who are in China. In case of any conflict between this Annex II and the main text of this Privacy Policy, Annex II shall prevail.

  1. To whom we share Personal Data
    As set out in “How we share Personal Data” in the Section 3 in the main text of this Privacy Policy, where permitted by the applicable laws and regulations, we may share your Personal Data with our affiliates, service providers, agents, contractors, and other business partners when and if it is necessary to do so. You may find a list of our affiliates to which we share your Personal Data and to know their details by clicking here. In addition, you may contact our Data Privacy Team as set out in the Section 6 in the main text of this Privacy Policy and Annex II to obtain information of our business partners and to whom we share your Personal Data.
  2. Software Development Kits (SDK) Provided by Third Parties
    To provide you with a better service experience as described in the main text of this Privacy Policy, our websites or online channels may contain SDK from third-party providers. We may share your Personal Data with the relevant SDK providers when you are using our products or services which may involve the following functions. You may find details of these SDKs and their operators below:

    Name Function Type of personal data collected Operator Privacy policy/hyperlink to official website
    Gift platform API Support users to shop on e-commerce platforms Information of orders and addressees, user’s name and email address Techsembly Pte. Ltd https://www.techsembly.com/privacy-policy
    Spa Booking Engine Support users to reserve spa service Name, email address and phone number CPS Graphics, Inc. dba Tambourine https://www.tambourine.com/privacy-policy
    Revinate API User information management Name and email Revinate, Inc. https://www.revinate.com/privacy/
    Splio Order management Name, birthday, mobile phone number, WeChat ID, region Shanghai Splio Information Consulting Co., Ltd. https://splio.com/zh/data-protection-zh/
    WeChat Order Management Support users to reserve rooms Name, birthday, mobile phone number, WeChat ID, stay period Beijing Shiji Information Technology Co., Ltd. https://www.shijigroup.com/legal/terms-and-conditions
    WeChat Content Management and Customer Relationship Management Data management and statistical analysis User’s WeChat ID and nickname, pages and contents visited, and duration of visit Shanghai JINGdigital Co., Ltd. https://www.jingdigital.com/%E9%9A%90%E7%A7%81%E6%94%BF%E7%AD%96/

    We will conduct necessary security testing to all third-party SDKs and require third-party providers to implement strict measures to protect the security of your Personal Data. Meanwhile, we may update the SDKs’ information according to changes in service requirements and business functions from time to time. You can find the most updated version in our latest Privacy Policy.

  3. Personal Data transmission across international borders
    In principle, the Personal Data that are generated or collected by us in China will be stored in China as well. To process your reservation and payment and to provide with you our relevant services, we may need to transfer your Personal Data outside of China. Data protection laws in these countries or regions may be different from those in China and the level of protection to your Personal Data may vary accordingly.If your Personal Data is transferred overseas, we will take appropriate protective measures as required by the laws and regulations in China, including carrying out personal data protection impact assessment, and as the case may be completing certification by the competent authorities, security assessment by qualified third-party institutes, or signing the standard contractual clauses issued by the Cyberspace Administration of China with overseas recipients.
  4. Special protection of Minors’ Personal Data
    Please note that our websites and our products and services are not intended for Minors (under the age of 18) unless expressly stated in the relevant descriptions. We do not knowingly solicit or collect Personal Data of Minors. To ensure that guardians of Minors can make informed decisions regarding provision of Minors’ Personal Data when purchasing and using products and services provided by us, we have published the Minors’ Privacy Policy to explain how we collect, store, use, transfer or disclose the Minors’ Personal Data. If you are a Minor’s guardian, please read and understand the Minors’ Privacy Policy.
  5. Contacting us
    Global Data Privacy Team

    The Hongkong and Shanghai Hotels, Limited
    8/F St George’s Building
    2 Ice House Street
    Central, Hong Kong SAR
    Phone: +852 2926 2888
    Fax: +852 2732 2933
    Email: privacy@peninsula.com

    Data Protection Officer in China Mainland

    The Palace Hotel Ltd.
    8 Goldfish Lane, Wangfujing, Beijing
    The Peninsula Beijing
    Phone: +86 10 8516 2888
    Email: privacy@peninsula.com

    The Peninsula Shanghai Waitan Hotel Company Limited
    No. 32, The Bund 32 Zhongshan Dong Yi Road, Shanghai
    The Peninsula Shanghai
    Phone: +86 21 2327 2888
    Email: privacy@peninsula.com

    Please allow 15 business days for us to process any data access requests. Where the request involves complex information gathering, we will advise you of the additional time needed to process your request.

Effective Date: 1 July 2011
Last Updated: 5 April 2023