Data Privacy and Security Policy
This Data Privacy and Security Policy (Privacy Policy) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (HSH Group, we or us) collects, stores and handles your personal data. The list of companies within the HSH Group is set out at https://www.hshgroup.com/privacy-policy/Entities.ashx
This Privacy Policy is intended to ensure you can make informed decisions about supplying Personal Data relating to you when purchasing our products and using our services. For any comments or queries, please contact us as set out in section 7 “Contacting us”.
You can find a Peninsula Hotel and/or restaurants or other goods and services operated and provided by the HSH Group from the following websites online:
www.peninsula.com, residences.peninsula.com, zbarchicago.com, www.peninsulalondonproject.co.uk, www.peninsularesidences.london, www.hshgroup.com, www.quaillodge.com, signatureevents.peninsula.com, www.therepulsebay.com, www.thepeak.com.hk, www.thelandmarkvietnam.com, www.peninsulaboutique.com , www.peninsulaboutique.com.tw, and www.peninsulaboutique.co.kr, or from a web-enabled mobile device.
Please note that our websites and the provision of our services are not intended for children and minors and we do not knowingly solicit or collect Personal Data from anyone under the age of 18, other than from a parent or legal guardian with consent. As a parent or legal guardian, please do not allow your children to submit Personal Data without your permission.
By submitting your Personal Data to us, you agree to the processing set out in this Privacy Policy. If there are any additional uses of your Personal Data that will become relevant, then we will provide you with the necessary information and consult you on such additional uses in accordance with the applicable law.
This Privacy Policy contains general and technical details about the steps we take to respect your privacy concerns. We have organised the Privacy Policy by major processes and areas so that you can review the information of most interest to you.
- Personal Data we collect
- How we use Personal Data
- How we share Personal Data
- How we transmit, protect and store Personal Data
- Your rights
- California and Nevada privacy rights
- Contacting us
- Cookies
- Changes to the Privacy Policy
- Other Sites
1 |
Personal Data we collectThe term “Personal Data” refers to any personal data that can be used to identify you as an individual. |
1.1 | We may collect and process the following Personal Data about you.
For our hotel related services only (for example when you make a hotel or spa reservation, or purchase a gift certificate from us)
For non-hotel related services only (for example residential and commercial leasing, and operation of residential clubs and food and beverage outlets and transport) Your transactions with us ► we may collect information such as identity card and passport details, tenancy particulars, employment particulars and club membership particulars. |
1.2 | We do not collect Personal Data when you apply for a Peninsula/American Express credit card. If you apply for a Peninsula/American Express credit card, you will be required to provide certain personal information as part of the credit card application process. We do not own any of the personal information supplied to American Express group of companies in connection with the Peninsula/American Express credit card application process. You can refer to American Express’ privacy statement posted on their website to understand how the information you supply will be used. American Express is the issuer of the credit card, and all terms and conditions of being a cardholder are dictated by American Express. |
1.3 | There are several ways by which we may collect your Personal Data from you: (i) we may collect your Personal Data from you directly by engaging with you, for example, when you make a direct booking on our website, or when you book or receive a service, or purchase a merchandising product in-person; and (ii) we may also collect Personal Data from third parties including agents and online service providers that make hotel, spa or restaurant reservations on your behalf, facilitate online payments or gift purchases or that are otherwise involved in the reservations process or delivering our services to you. Finally, (iii) we may also collect Personal Data from you through your activity on social media platforms that link to us such as Facebook fan pages or WeChat Official Account, or when you share content, photographs or follow us. Please note that any social media platform will also have their own privacy policies and processes to govern the processing of your Personal Data. |
1.4 | If you provide us with Personal Data about other individuals (e.g. family members or travel companions), regardless of whether you are travelling together, you must inform such individuals that you have provided us with their details and let them know where they can find a copy of this Privacy Policy. |
Special Categories of Personal Data | |
1.5 | “Special Categories of Personal Data” are a subset of Personal Data, and include Personal Data relating to your health, political opinions, religious beliefs, ethnicity and race, sex life, trade union membership and in some cases, criminal activity. |
1.6 | As a general rule, we do not process Special Categories of Personal Data. We may however process health/medical information in order to handle medical incidents and/or claims as per paragraph 2.1(i) below. Where we process Special Categories to handle medical incidents, we do so in order to protect the vital interests of you or another person, Where we process Special Categories to handle claims, we do so on the basis of establishing, exercising or defending legal claims or whenever courts are acting in their judicial capacity.
In addition to paragraph 1.6 above, we may process Special Categories of Personal Data in limited circumstances where you have provided such Special Categories of Personal Data including health/medical information (e.g. allergies, disabilities, dietary requirements) so that we can provide our services safely to you (e.g. spa treatments and meals). |
1.7 | In addition to section 1.6 above, we may process Special Categories of Personal Data in limited circumstances where you have provided such Special Categories of Personal Data including health/medical information (e.g. allergies, disabilities, dietary requirements) so that we can provide our services (e.g. spa treatments and meals) safely to you. |
1.8 | Where we must process Special Categories of Personal Data mentioned at paragraph 1.7 above, we will only do so where you have given us your explicit consent for the collection, processing and disclosure of the Special Categories of Personal Data. Where you are providing Special Categories of Personal Data about a travel partner, you agree that you have procured their consent to our collection, processing and disclosure of their Special Categories of Personal Data. |
2.2
2 |
How we use Personal Data |
2.1 | We may use your Personal Data in the following ways. Please note that use of Personal Data under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the grounds in respect of each use in this Privacy Policy. An explanation of the scope of the grounds available can be found [here].
In respect of hotel-related services only
|
2.2 | We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have. |
4 |
How we transmit, protect and store Personal Data |
Security of communications | |
4.1 | It is important to note that no security system or system of transmitting information over the Internet is guaranteed to be secure. There is a risk inherent in the submission of information online, use of e-mail and facsimile. Please be aware of this when requesting information or sending forms to us online or by e-mail or facsimile, for example, from the “Contact Us” section. We recommend that you do not include any sensitive information including credit card details when submitting information online, using e-mail, facsimile or when using any public computers/public WIFI. |
Security controls | |
4.2 | We maintain commercially reasonable administrative, technical and physical safeguards designed to protect the Personal Data we maintain against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of personal information. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of your information. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions. |
4.3 | We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind firewalls to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations may put in place additional measures that vary depending on the applicable legal requirements. |
Personal Data transmission across international borders | |
4.4 | As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in New York or Tokyo. To achieve this goal, we have established a global network comprised of properties, offices, global customer service centers, data centers, trusted service providers, and trained associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other group companies, properties, centers of operations, data centers, or service providers that may be located in countries outside of your own* for the purposes mentioned in this Privacy Policy. Although the data protection and other laws of these various countries may not be as comprehensive as those in your own country, the HSH Group will take appropriate measures, including contractual clauses, to secure the transfer of your Personal Data to recipients (which may be internal or external to the HSH group) located in a country with a level of protection different from the one existing in the country in which your Personal Data is collected. *Currently, guest data may be transferred to our headquarters in Hong Kong as well as other countries where we are present, including China, Japan, Vietnam, United Kingdom, United States of America, Thailand, the Philippines and France. We also use third party service providers which are located in countries such as United States of America and Australia to process mailing, certain online bookings and purchases of gift cards. |
4.5 | Your Personal Data may be accessed by staff or suppliers, transferred, and/or stored outside the European Economic Area (EEA) including to countries which may have a lower level of data protection than under EU data protection laws. We must comply with specific rules when we transfer Personal Data from inside the EEA to outside the EEA. When we do this, we will use appropriate safeguards to protect any Personal Data being transferred. Where required, we will transfer your Personal Data subject to European Commission approved contractual terms that impose different data protection obligations directly on the recipient. Please contact us as set out in section 7 below if you would like to see a copy of the specific safeguards we apply to the export of your Personal Data; these may be redacted to protect commercially sensitive or confidential information. |
4.6 | Your Personal Data will be stored for the period of time required or permitted by law in the jurisdiction of the operation holding the information (for example certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). So if information is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires. |
4.7 | Our retention periods are based on business needs and on the applicable statutory requirements |
5 |
Your rights |
Opt-out of marketing | |
5.1 | You have the right to ask us not to process your Personal Data for marketing purposes at any time. You can exercise your right by checking certain boxes online or on the data collection forms, talking to us in person, or by contacting us as set out in section 7 below. If you opt out of receiving our marketing messages, where permitted by law, you may continue to receive other messages from us as required by the relationship between you and us. |
Other rights | |
5.2 | Subject to various exceptions and data protection laws in your country, you may have the following rights:
|
Updating information | |
5.3 | We will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your My Peninsula account or by contacting us as set out in section 7 below. |
5.4 | In the unlikely event of a data breach, we are prepared to follow any laws and regulations which would require us to notify you of the disclosure of private information. |
California Privacy Rights | |
5.5 | Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of personal customer data which we share with our group companies, affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this information, please submit a written request to the address details in Section 6. |
6 |
California and Nevada privacy rights |
6.1 | If you are a California resident, you have the right to ask us what information we have collected, used, disclosed and sold about you in the preceding 12 months. You also have the right to request us to delete the Personal Data we have collected from you. To exercise your rights, please contact us at one of the toll-free numbers listed below in section 6.4 or email us at privacy@peninsula.com. We will verify your request by matching information you provide to us with information we already have about you. We will not discriminate against you because you have exercised any of your rights under the California Consumer Privacy Act (CCPA). You can designate someone else to make a request by having them execute a notarised power of attorney to act on your behalf. We will maintain a record of your CCPA rights requests |
6.2 | Under California law we are required to tell California residents if we “sell” information as that term is defined by applicable law (i.e. sharing the Personal Data with a third party for monetary or other valuable consideration). We confirm to California residents that we do not do this based on our understanding of that term. We also do not have actual knowledge that we sell the Personal Data of minors under the age of 16. |
6.3 | In relation to our disclosure obligations in Nevada, we confirm that we do not exchange Nevada residents’ Personal Data for money with any person for such person to license or sell the Personal Data to additional persons. By emailing us at privacy@peninsula.com, Nevada residents may opt out of the future sale of their Personal Data to a third party. |
6.4 | For our US properties, we have the following toll-free numbers available to make a request in relation to your Personal Data:
6.4.1 The Peninsula Beverly Hills: +1 800 462 7899 |
7 |
Contacting Us |
7.1 | If you have any questions about this Privacy Policy or our processing of your Personal Data, please contact us at : Data Privacy Team The Hongkong and Shanghai Hotels, Limited 8/F St George’s Building 2 Ice House Street Central Hong Kong Fax: +852 2147 3720 Email: privacy@peninsula.com Alternatively, you can contact our Representative in the European Union at:Peninsula Paris Hotel Management SARL Ref: “EU Representative”c/o The Peninsula Paris 19 avenue Kléber, Paris, France, 75116Attention: Executive Office / HSH Management Services Limited Phone: +33 1 5812 2888 Email: privacy@peninsula.com |
7.2 | Please contact the Data Privacy Team (whose details are set out above in section 7.1) for the Data Protection Officer of HSH’s Singapore companies. |
8 |
Cookies |
8.1 | Our website uses cookies to distinguish you from other users of the Website. This helps us provide you with a good experience when you browse our website and also allows us to improve our [here] |
9 |
Changes to the Privacy Policy |
9.1 | In the future, we may need to make additional changes. All additional changes will be included in the latest Privacy Policy published on this website or mobile application, so that you will always understand our current practices with respect to the information we gather, how we might use that information and disclosures of that information to third parties. You can tell when this Privacy Policy was last updated by looking at the date at the bottom of the Privacy Policy. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. We will seek your express consent to any changes to how we use or disclose your Personal Data if required by law but otherwise use of this website or our services following such changes constitutes your acceptance of the Privacy Policy then in effect. |
10 |
Other Sites |
10.1 | The website or mobile application may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites. |
30 June 2020