Effective Date: 1 April 2020
Last updated: 1 April 2020
The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (hereinafter “HSH Group”, “the Group”, “we” or “us”), is committed to protecting the privacy of our clients who use our online and offline services and has released the Data Privacy & Security Policy (Mainland China) .
In general, we will not actively collect and process a Child’s Personal Data without the Guardian’s consent. However, due to the technology limit, we cannot recognise the user’s age in some circumstances, especially when providing the services online. In these cases, we will deem that the user has the complete and legitimate right to provide us with the Personal Data pursuant to the Related Laws. If we inadvertently collect any Child’s Personal Data without the Guardian’s consent, we will delete in time.
Personal Data refers to all kinds of information recorded in electronic or other forms, which can be used, independently or in combination with other information, to identify personal identity, including but not limited to the name, date of birth, identity certificate number, biometric information, email address, address and telephone number.
1.1We may collect and process a Child’s Personal Data when providing the following services:
(a) To administer hotel room reservation ? Users may submit reservation requests via our website, our Global Customer Service Centre (GCSC) or our third party service providers’ website. If a Guardian books a room through the above channels, we may in the process collect the Child’s Personal Data, such as name, age, nationality, gender, as well as the preference of room type and setup, transportation, food and beverage and internet access if the Guardian and/or the Child may have particular requests on services;
(b) To provide hotel-related services ? To provide a Child with hotel-related services, including but not limited to accommodation, transportation, food and beverage, special activities for Child, and to facilitate any particular requests, we may collect Child’s Personal Data including, among others,
(i) Check-in: We are mandated to collect a Child’s Personal Data to complete the check-in in accordance with local laws. This will involve any of the Child User’s passport number, identity card or household registration book, and where relevant, the type of entry visa. In addition, we may provide with some Children special VIP cards, which include the name, age, favourite numbers, colours, food and toys to provide memorable services during his/her stay;
(ii) Transportation services: To provide safe and on-time transportation services to a Child and his/her family, we may collect the passengers’ age, number and travel plan (e.g. the arrival and/or departure time, the destination, etc.);
(iii) Food and beverage services: To provide better food and beverage service, a Child User or a Guardian may be invited to fill in our food and beverage questionnaire which collects name, date of birth, telephone number and email address. We may also collect a Child User’s food and beverage preferences and dietary restrictions to provide customised services safely;
(iv) Participation in Child activities: We provide Peninsula Academy activities and curriculum for Child, such as classes relating to calligraphy, chocolate making, painting and swimming, which can be reserved online and offline. For providing these activities, we may collect the Child’s name, gender, age, address, contact information and other personal information related to the particular activities. In general, a Child is not allowed to purchase, register or attend these activities without the Guardian’s consent or accompany;
(v) Handling of accidents and claims: to handle or to assist the Guardian in handling accidents such as calling for emergency services or dealing with personal injury claims, we may collect and process the Child’s health related or medical information as required and appropriate;
(c) To register “My Peninsula” account ? When a user make a hotel room reservation online, the user can enrol for a My Peninsula account by providing us with user's name, mobile number, email address and setting a password. In general, without express consent of the Guardian, a Child User is not allowed to register My Peninsula account. We will take commercially reasonable measures to verify users’ age before the registration;
(d) To complete purchase ? Based on the actual needs, we may collect user's name, telephone number, email address, residential and/or delivery addresses, bank card information, etc., to complete payment and deliver orders when the user purchases a merchandise or Peninsula gift certificate online or offline;
(e) To provide residential and restaurant services ? To complete transactions and provide services at request of the Guardian, we may collect certain information of users based on actual needs, which may include a Child’s Personal Data; and
(f) To customise services and products ? To assure the users’ continuous comfortable and satisfactory services in the future, we may collect and store their specific needs and preference (including the Child Users) to provide customised services satisfying personalised needs upon their return.
1.2 Information Collection
(a) We may collect a Child’s Personal Data directly from the Guardian upon his/her consent, or from third parties including agents and online service providers via whom the Guardian purchase, reserve or register the foregoing services we provide online and offline.
(a) When users are browsing, using or interacting with our websites, we will automatically collect and store the following information: user's IP address, device ID, browser information, website domain name before jumping to this website, browsing path model and website usage habits;
2.2 In general, due to the technology limits, we are unable to recognise users’ age when collecting information via cookies. If a Guardian finds or has concerns on our collection via cookies when his/her Child’s browsing our websites without consent, the Guardian may contact us via the Contact Information as set out under section 6 “Contacting Us” hereof, or may manage or delete the cookie(s) from his/her own end by erasing all cookies stored on the PC and other mobile terminals, or by using the authority equipped by the browser to block the cookies. Subject to the browser that the Guardian uses, the Guardian may be requested to change the user settings every time when he/she visits our websites.
3.1 To provide continuous and personalised services to our clients, we may share the Child’s Personal Data within HSH Group. We will not share any Child’s Personal Data with third parties except for the following circumstances or unless we have otherwise obtained the Guardian’s consent.
(a) Third party service providers who process Child’s Personal Data on our behalf to help us undertake the activities described in section 1 ? We may permit selected third parties such as service providers, agents, contractors, controlling shareholder of the hotel and other affiliates of HSH Group to use Child’s Personal Data for the purposes as set out in section 1, including data centre providers that host our servers and third party agents that process mailing and purchases of gift cards on our behalf. These parties are contractually prohibited from using Child’s Personal Data for any purpose other than for the purpose specified in their respective contracts, and will be subject to obligations to process Child’s Personal Data in compliance with the appropriate safeguards. We do not permit the sale of Child’s Personal Data to entities outside of the HSH Group for any use;
(b) Law enforcement agencies, government authorities, regulators and the courts in order to comply with our legal obligations or to handle incidents/claims ? We may disclose a Child’s Personal Data when required by relevant laws or by court order, or as requested by other government or law enforcement authority to assist with certain proceedings or investigations. Where permitted, we will direct any such request to the Guardian or will notify the Guardian before responding unless doing so would prejudice the prevention or detection of an actual and suspected crime. This also applies when we have reason to believe that disclosing a Child’s Personal Data is necessary to obtain legal advice, to identify, investigate, protect, contact, or bring legal action against someone who may be causing interference with our guests, visitors, associates, rights or properties, or to others, whether intentionally or otherwise, or when anyone else could be harmed by such activities; and
4.1 As a global company, we endeavour to provide our users with the same outstanding services and to maintain commercially reasonable administrative, technical and physical safeguards to protect the users’ Personal Data that we collect, store and transmit against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. For more information about how we transmit, protect and store the users’ Personal Data, please refer to our Data Privacy & Security Policy (Mainland China).
4.2 In addition to the safeguard as set out under Data Privacy & Security Policy (Mainland China) , to protect the Child’s Personal Data, we take the following measures:
(a) In terms of access privilege:
(i) We have strictly limit our staff’s privilege of accessing Child’s Personal Data based on the principle of minimal authorisation. No staff is not allowed to access to the Child’s Personal Data until has duly obtained the approval from the customer database manager or other competent stakeholder(s);
(ii) We record each visit of Child’s Personal Data and have taken technical measures and implemented internal policy to avoid illegal or unnecessary copying and downloading Child’s Personal Data;
(b) In terms of safety management systems and safety management personnel:
(i) We have set up information security team to be responsible for the establishment of the information security system;
(ii) We have established relevant safety management systems in information collection, storage, transmission, encryption, network security, vulnerability management, security event processing, etc;
(c) In terms of technical measures:
(i) We have adopted technical measures such as encryption to protect the security and confidentiality of information transmission;
(ii) We have adopted technical measures such as intrusion detection/protection system, network firewall, anti-virus tool and anti-spam tool, etc. to protect the security and confidentiality of information preservation;
(d) In terms of security incident handling:
(i) We have developed a security incident reporting and disposal management system, such as HSH Group Cybersecurity Incident Management System and Emergency Response Plan;
(ii) When we discover any Child’s Personal Data being or under the risks of being leaked, damaged or lost, we will immediately launch an emergency plan and take remedial measures;
(iii) If any data leakage, damage or loss occurs and has caused or will cause serious consequence, we will immediately report it to the relevant governmental authority with the incident being correlated, and will try at the best effort to inform the Guardian of the affected Child Users within in a due course, via email, letter, phone call, push notification and the other appropriate and feasible manner.
4.3 Despite such efforts, however, please note that no company can fully eliminate risks or guarantee the security of Child’s Personal Data. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of user’s information. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Child’s Personal Data hosted on databases run by third parties, and we bear no liability for uses or disclosures of Child’s Personal Data or other data arising in connection with theft of the information or other malicious actions.
5.1 As the subject of the Personal Data, the user is entitled to certain rights with respect to his/her Personal Data that we collected in accordance with our Data Privacy & Security Policy (Mainland China) .
(a) Access: the Guardian can request us to provide access to and further ask to review the Personal Data of the Child under his/her guardiancy;
(b) Correction: the Guardian can ask us to correct any inaccuracies in the Child’s Personal Data;
(c) Complaint: if the Guardian is not satisfied with our use of Child’s Personal Data or our response to any exercise of these rights, the Guardian may complain to the data protection authority in his/her country;
(d) Erasure: the Guardian can ask us to delete Child’s Personal Data. Unless otherwise provided by laws and regulations, we will delete such data;
(e) Withdrawal of consent: the Guardian may revoke any previous consent on processing the Child’s Personal Data at any time. Please note that revoking certain consents may affect the services and products we provide to the Child in some cases;
(f) Object to providing: the Guardian has the discretion on whether providing the Child’s Personal Data to us; however, to the extent permitted by the applicable laws and regulations, we may refuse to provide services or products to the Child due to insufficiency or lack of information;
(g) Object to processing: the Guardian can object to the processing (e.g. analytics and researching activities carried out in relation to Child’s Personal Data for improving services or for designing promotion plans), unless our reasons for undertaking the processing outweigh any prejudice to data protection rights;
(h) Restriction: the Guardian can restrict how we use the Child’s Personal Data pending any investigation, for example whilst we are verifying the accuracy of the Child’s Personal Data or where we are verifying the grounds that we use as the basis of holding the Child’s Personal Data;
(i) Portability: where technically feasible, the Guardian has the right to ask us to transmit the Child’s Personal Data that we have collected to a third party in a structured, commonly used and machine readable form;
(j) Removal of account: the Guardian can at any time request for the removal of a registered account. Once we receive the request, we will erase the relevant My Peninsula account as soon as practicable;
(k) Updating information: we will use reasonable endeavours to ensure that the Child’s Personal Data is accurate. In order to assist us with this, the Guardian should notify us of any changes to the Child’s Personal Data that have been provided to us by update the details in the “My Peninsula” account or by contacting us as set out in section 6 below; and
(l) Notification in the event of breach: in the unlikely event of a data breach, we will follow any laws and regulations which would require us to notify the Guardian of the disclosure of Child’s Personal Data.
5.3 We will process all requests within 15 working days in accordance with the applicable data protection laws.
Data Privacy Team
The Hongkong and Shanghai Hotels, Limited
8/F St George’s Building
2 Ice House Street
Fax: +852 2147 3720
Data Privacy Team
If after reviewing this privacy statement you have any privacy questions or concerns or would like to request access to, correction or object to the processing of your data for legitimate purposes, please contact our Data Privacy Team.
Data Privacy Team
The Hongkong and Shanghai Hotels, Limited
8/F, St George's Building
2 Ice House Street
Central, Hong Kong
+852 2147 3720
PLEASE ALLOW 15 BUSINESS DAYS
FOR US TO PROCESS ANY
CORRECTION OF DATA