Child Privacy Policy (Mainland China) | The Peninsula Hotels

Child Privacy Policy 

(Mainland China)

Effective Date:  1 April 2020
Last updated:  1 April 2020

The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (hereinafter “HSH Group”, “the Group”, “we” or “us”), is committed to protecting the privacy of our clients who use our online and offline services and has released the Data Privacy & Security Policy (Mainland China) . 

To ensure that the legal guardian (hereinafter “Guardian”) of a child user under the age of 14 (hereinafter “Child User” or “Child”) can make an informed decision on providing the Child’s Personal Data (as defined in section 1 below) when purchasing our products and enjoying our services, we hereby provide this Child Privacy Policy (Mainland China) (hereinafter “Child Privacy Policy”) to set out how we collect, store, use, transfer and disclose a Child’s Personal Data. If you are the Guardian of a Child, please read carefully and ensure that you fully understand and choose whether to agree to this Child Privacy Policy. 

 

This Child Privacy Policy is based on the Cybersecurity Law of the People's Republic of China, the Child Personal Information Network Protection Regulations, and other applicable laws and regulations for the time when the Child Privacy Policy is released being in force (hereinafter collectively referred to as the “Related Laws”). 

 

In general, we will not actively collect and process a Child’s Personal Data without the Guardian’s consent. However, due to the technology limit, we cannot recognise the user’s age in some circumstances, especially when providing the services online. In these cases, we will deem that the user has the complete and legitimate right to provide us with the Personal Data pursuant to the Related Laws. If we inadvertently collect any Child’s Personal Data without the Guardian’s consent, we will delete in time.


Instructions for the Guardian: by submitting your Child’s Personal Data to us directly or via third parties (including our service providers and agents), you have acknowledged and agreed that we can collect, store, use, transfer and disclose the Child’s Personal Data pursuant to this Child Privacy Policy and the Related Laws. If you find that your Child has provided us any personal information without your consent, please notify us to delete via the Contact Information under section 6 “Contacting Us” hereof.

 

Instruction for the Child: please inform your Guardian of this Child Privacy Policy and seek for his/her consent before you provide any personal information (such as name, gender, date of birth, ID number, address, phone number, etc.) to us. Please DO NOT provide us with any personal information until you have obtained your Guardian’s consent. 

 

This Child Privacy Policy specifically focuses on general and technical details about the protection of the Child’s Personal Data as follows. For more information about HSH Group’s general privacy practice in Mainland China, please kindly refer to our Data Privacy & Security Policy (Mainland China) . Our websites may contain links to other third party websites that have their own privacy policies. We do not accept any responsibility or liability for their policies or processing of the Personal Data. Please check these policies before submitting any personal information (including the Child’s Personal Data) to such third party websites.

 

 

1 HOW WE COLLECT AND USE CHILD'S PERSONAL DATA

2. HOW WE USE COOKIES AND SIMILAR TECHNOLOGIES

3. HOW WE SHARE CHILD'S PERSONAL DATA

4. HOW WE TRANSMIT, PROTECT AND STORE CHILD'S PERSONAL DATA

5. RIGHTS OF THE GUARDIAN

6. CONTACTING US

7. CHANGES TO THE CHILD PRIVACY POLICY

 

 

1. How we collect and use Child's Personal Data

 

Personal Data refers to all kinds of information recorded in electronic or other forms, which can be used, independently or in combination with other information, to identify personal identity, including but not limited to the name, date of birth, identity certificate number, biometric information, email address, address and telephone number. 

1.1We may collect and process a Child’s Personal Data when providing the following services: 

(a) To administer hotel room reservation ► Users may submit reservation requests via our website, our Global Customer Service Centre (GCSC) or our third party service providers’ website. If a Guardian books a room through the above channels, we may in the process collect the Child’s Personal Data, such as name, age, nationality, gender, as well as the preference of room type and setup, transportation, food and beverage and internet access if the Guardian and/or the Child may have particular requests on services;

(b) To provide hotel-related services ► To provide a Child with hotel-related services, including but not limited to accommodation, transportation, food and beverage, special activities for Child, and to facilitate any particular requests, we may collect Child’s Personal Data including, among others, 

(i) Check-in: We are mandated to collect a Child’s Personal Data to complete the check-in in accordance with local laws. This will involve any of the Child User’s passport number, identity card or household registration book, and where relevant, the type of entry visa. In addition, we may provide with some Children special VIP cards, which include the name, age, favourite numbers, colours, food and toys to provide memorable services during his/her stay;

(ii) Transportation services: To provide safe and on-time transportation services to a Child and his/her family, we may collect the passengers’ age, number and travel plan (e.g. the arrival and/or departure time, the destination, etc.);

(iii) Food and beverage services: To provide better food and beverage service, a Child User or a Guardian may be invited to fill in our food and beverage questionnaire which collects name, date of birth, telephone number and email address. We may also collect a Child User’s food and beverage preferences and dietary restrictions to provide customised services safely;

(iv) Participation in Child activities: We provide Peninsula Academy activities and curriculum for Child, such as classes relating to calligraphy, chocolate making, painting and swimming, which can be reserved online and offline. For providing these activities, we may collect the Child’s name, gender, age, address, contact information and other personal information related to the particular activities. In general, a Child is not allowed to purchase, register or attend these activities without the Guardian’s consent or accompany;

(v) Handling of accidents and claims: to handle or to assist the Guardian in handling accidents such as calling for emergency services or dealing with personal injury claims, we may collect and process the Child’s health related or medical information as required and appropriate;

(c) To register “My Peninsula” account ► When a user make a hotel room reservation online, the user can enrol for a My Peninsula account by providing us with user's name, mobile number, email address and setting a password. In general, without express consent of the Guardian, a Child User is not allowed to register My Peninsula account. We will take commercially reasonable measures to verify users’ age before the registration;

(d) To complete purchase ► Based on the actual needs, we may collect user's name, telephone number, email address, residential and/or delivery addresses, bank card information, etc., to complete payment and deliver orders when the user purchases a merchandise or Peninsula gift certificate online or offline;

(e) To provide residential and restaurant services ► To complete transactions and provide services at request of the Guardian, we may collect certain information of users based on actual needs, which may include a Child’s Personal Data; and

(f) To customise services and products ► To assure the users’ continuous comfortable and satisfactory services in the future, we may collect and store their specific needs and preference (including the Child Users) to provide customised services satisfying personalised needs upon their return.

 

1.2 Information Collection

(a) We may collect a Child’s Personal Data directly from the Guardian upon his/her consent, or from third parties including agents and online service providers via whom the Guardian purchase, reserve or register the foregoing services we provide online and offline. 

(b) We may collect information from the public resources or the followers of our social media accounts to provide, improve and promote our products and services in accordance with Data Privacy & Security Policy (Mainland China) , this Child Privacy Policy and the applicable local laws.

2. How we use cookies and similar technologies

2.1 We may use cookies and similar technologies to provide better services and to distinguish the users when the user browses our websites. 

(a) When users are browsing, using or interacting with our websites, we will automatically collect and store the following information: user's IP address, device ID, browser information, website domain name before jumping to this website, browsing path model and website usage habits;

(b) For more information about what cookies we use and how and why we use them, please refer to our Data Privacy & Security Policy (Mainland China)  and our Cookies Policy  respectively. 

2.2 In general, due to the technology limits, we are unable to recognise users’ age when collecting information via cookies. If a Guardian finds or has concerns on our collection via cookies when his/her Child’s browsing our websites without consent, the Guardian may contact us via the Contact Information as set out under section 6 “Contacting Us” hereof, or may manage or delete the cookie(s) from his/her own end by erasing all cookies stored on the PC and other mobile terminals, or by using the authority equipped by the browser to block the cookies. Subject to the browser that the Guardian uses, the Guardian may be requested to change the user settings every time when he/she visits our websites. 

3. How we share Child's Personal Data

3.1 To provide continuous and personalised services to our clients, we may share the Child’s Personal Data within HSH Group. We will not share any Child’s Personal Data with third parties except for the following circumstances or unless we have otherwise obtained the Guardian’s consent.

(a) Third party service providers who process Child’s Personal Data on our behalf to help us undertake the activities described in section 1 ► We may permit selected third parties such as service providers, agents, contractors, controlling shareholder of the hotel and other affiliates of HSH Group to use Child’s Personal Data for the purposes as set out in section 1, including data centre providers that host our servers and third party agents that process mailing and purchases of gift cards on our behalf. These parties are contractually prohibited from using Child’s Personal Data for any purpose other than for the purpose specified in their respective contracts, and will be subject to obligations to process Child’s Personal Data in compliance with the appropriate safeguards. We do not permit the sale of Child’s Personal Data to entities outside of the HSH Group for any use; 

(b) Law enforcement agencies, government authorities, regulators and the courts in order to comply with our legal obligations or to handle incidents/claims ► We may disclose a Child’s Personal Data when required by relevant laws or by court order, or as requested by other government or law enforcement authority to assist with certain proceedings or investigations. Where permitted, we will direct any such request to the Guardian or will notify the Guardian before responding unless doing so would prejudice the prevention or detection of an actual and suspected crime. This also applies when we have reason to believe that disclosing a Child’s Personal Data is necessary to obtain legal advice, to identify, investigate, protect, contact, or bring legal action against someone who may be causing interference with our guests, visitors, associates, rights or properties, or to others, whether intentionally or otherwise, or when anyone else could be harmed by such activities; and

(c) Third parties who require such data in connection with a change in the structure of our business ► In the event that we (or a part thereof) are (i) subject to negotiations for the sale of our business or (ii) sold to a third party or (iii) conducting a reorganisation, we may transfer Child’s Personal Data to that re-organised entity or third party and to be used for the same purposes as set out in this Child Privacy Policy, or for the purpose of analysing any proposed sale or re-organisation. We ensure that no more of a Child’s Personal Data is transferred than is necessary. 

3.2 This Child Privacy Policy does not apply to sharing of Personal Data by third party providers (e.g. airlines, online travel agents, car rental companies, table booking websites) who may collect Personal Data from users and may share it with us. In these situation, we would strongly advise users to review the applicable privacy policy of the third party service providers before submitting Personal Data. 

4. How we transmit, protect and store Child's Personal Data

4.1 As a global company, we endeavour to provide our users with the same outstanding services and to maintain commercially reasonable administrative, technical and physical safeguards to protect the users’ Personal Data that we collect, store and transmit against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. For more information about how we transmit, protect and store the users’ Personal Data, please refer to our Data Privacy & Security Policy (Mainland China).

4.2 In addition to the safeguard as set out under Data Privacy & Security Policy (Mainland China) , to protect the Child’s Personal Data, we take the following measures:

(a) In terms of access privilege:

(i) We have strictly limit our staff’s privilege of accessing Child’s Personal Data based on the principle of minimal authorisation. No staff is not allowed to access to the Child’s Personal Data until has duly obtained the approval from the customer database manager or other competent stakeholder(s); 

(ii) We record each visit of Child’s Personal Data and have taken technical measures and implemented internal policy to avoid illegal or unnecessary copying and downloading Child’s Personal Data; 

(b) In terms of safety management systems and safety management personnel:

(i) We have set up information security team to be responsible for the establishment of the information security system;

(ii) We have established relevant safety management systems in information collection, storage, transmission, encryption, network security, vulnerability management, security event processing, etc;

(c) In terms of technical measures:

(i) We have adopted technical measures such as encryption to protect the security and confidentiality of information transmission;

(ii) We have adopted technical measures such as intrusion detection/protection system, network firewall, anti-virus tool and anti-spam tool, etc. to protect the security and confidentiality of information preservation;

(d) In terms of security incident handling:

(i) We have developed a security incident reporting and disposal management system, such as HSH Group Cybersecurity Incident Management System and Emergency Response Plan;

(ii) When we discover any Child’s Personal Data being or under the risks of being leaked, damaged or lost, we will immediately launch an emergency plan and take remedial measures;

(iii) If any data leakage, damage or loss occurs and has caused or will cause serious consequence, we will immediately report it to the relevant governmental authority with the incident being correlated, and will try at the best effort to inform the Guardian of the affected Child Users within in a due course, via email, letter, phone call, push notification and the other appropriate and feasible manner.

4.3 Despite such efforts, however, please note that no company can fully eliminate risks or guarantee the security of Child’s Personal Data. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of user’s information. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Child’s Personal Data hosted on databases run by third parties, and we bear no liability for uses or disclosures of Child’s Personal Data or other data arising in connection with theft of the information or other malicious actions.

5. Rights of the Guardian

5.1 As the subject of the Personal Data, the user is entitled to certain rights with respect to his/her Personal Data that we collected in accordance with our Data Privacy & Security Policy (Mainland China) .

5.2 If the Personal Data’s subject is a Child, the Guardian is entitled to the following rights in accordance with this Child Privacy Policy and subject to various exceptions and data protection laws in the Child User’s country:

(a) Access: the Guardian can request us to provide access to and further ask to review the Personal Data of the Child under his/her guardiancy;

(b) Correction: the Guardian can ask us to correct any inaccuracies in the Child’s Personal Data;

(c) Complaint: if the Guardian is not satisfied with our use of Child’s Personal Data or our response to any exercise of these rights, the Guardian may complain to the data protection authority in his/her country; 

(d) Erasure: the Guardian can ask us to delete Child’s Personal Data. Unless otherwise provided by laws and regulations, we will delete such data; 

(e) Withdrawal of consent: the Guardian may revoke any previous consent on processing the Child’s Personal Data at any time. Please note that revoking certain consents may affect the services and products we provide to the Child in some cases;

(f) Object to providing: the Guardian has the discretion on whether providing the Child’s Personal Data to us; however, to the extent permitted by the applicable laws and regulations, we may refuse to provide services or products to the Child due to insufficiency or lack of information; 

(g) Object to processing: the Guardian can object to the processing (e.g. analytics and researching activities carried out in relation to Child’s Personal Data for improving services or for designing promotion plans), unless our reasons for undertaking the processing outweigh any prejudice to data protection rights; 

(h) Restriction: the Guardian can restrict how we use the Child’s Personal Data pending any investigation, for example whilst we are verifying the accuracy of the Child’s Personal Data or where we are verifying the grounds that we use as the basis of holding the Child’s Personal Data;

(i) Portability: where technically feasible, the Guardian has the right to ask us to transmit the Child’s Personal Data that we have collected to a third party in a structured, commonly used and machine readable form;

(j) Removal of account: the Guardian can at any time request for the removal of a registered account. Once we receive the request, we will erase the relevant My Peninsula account as soon as practicable;

(k) Updating information: we will use reasonable endeavours to ensure that the Child’s Personal Data is accurate. In order to assist us with this, the Guardian should notify us of any changes to the Child’s Personal Data that have been provided to us by update the details in the “My Peninsula” account or by contacting us as set out in section 6 below; and

(l) Notification in the event of breach: in the unlikely event of a data breach, we will follow any laws and regulations which would require us to notify the Guardian of the disclosure of Child’s Personal Data.

5.3 We will process all requests within 15 working days in accordance with the applicable data protection laws. 

6. Contacting Us

6.1 For any questions about this Child Privacy Policy or our processing practices, please contact us through the following manner, and we would revert to you within 15 working days after we verify your identity:

Data Privacy Team

The Hongkong and Shanghai Hotels, Limited 
8/F St George’s Building 
2 Ice House Street 
Central 
Hong Kong

Fax: +852 2147 3720

Email: privacy@peninsula.com

7. Changes to the Child Privacy Policy

7.1 In the future, we may need to make changes to this Child Privacy Policy. All changes will be included in the latest Child Privacy Policy published on our websites, so that users will always understand our current practices with respect to the information we gather, how we might use that information and disclosures of that information to third parties. Users can understand when this Child Privacy Policy was last updated by looking at the date at the beginning of the policy

7.2 We will provide a more conspicuous notification whenever there is a substantial change to this Child Privacy Policy. For example, a pop-up window will appear when accessing our website, or we will send users an email directly. Substantial changes include but are not limited to the substantial alterations on the grounds of processing Personal Data, the types of Personal Data we collect and the ways to use Child’s Personal Data, as well as any substantial alterations in the rights possessed in respect of Child’s Personal Data and ways to exercise such rights. 

Data Privacy Team

If after reviewing this privacy statement you have any privacy questions or concerns or would like to request access to, correction or object to the processing of your data for legitimate purposes, please contact our Data Privacy Team.

BY MAIL

Data Privacy Team
The Hongkong and Shanghai Hotels, Limited
8/F, St George's Building
2 Ice House Street
Central, Hong Kong

BY FAX

+852 2147 3720

PLEASE ALLOW 15 BUSINESS DAYS

FOR US TO PROCESS ANY

CORRECTION OF DATA

Japanese Chinese Chinese Korea Arabic