DATA PRIVACY & SECURITY POLICY

 

Last Updated: 20 December 2023

 

This Data Privacy and Security Policy (“Privacy Policy”) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (“HSH Group”, “we” or “us”) collects, stores and handles your “Personal Data” (i.e., any personal data that can be used to identify you as an individual), which we may collect:

• through websites operated by us from which you are accessing this Privacy Policy, including hshgroup.com, peninsula.com and other websites owned or controlled by the HSH Group (“Websites”);
• through software applications (including automated tools and chat functionalities) made available by us for use on or through computers and mobile devices (“Apps”);
• through email messages that we send you that link to this Privacy Policy and through your communications with us online or in person;
• from third parties or other sources such as public databases, marketing partners, and other third parties; and
• when you visit or stay as a guest or tenant at one of our properties or through other offline interactions (“Guest Interactions”).

Collectively, we refer to our Websites, the Apps, and Guest Interactions as our “Services”

You may get the list of relevant companies within the HSH Group by clicking here.

This Privacy Policy is intended to ensure you can make informed decisions about providing your Personal Data when purchasing our products, using our Services, communicating with us and exercising shareholder's rights. For any comments or queries, please contact us in accordance with Section 5 (Contacting us). You can click here to find our websites and social media pages, where you may search for a Peninsula Hotel and/or restaurant or other goods and services that we operate or provide.

 

Please note that our Services are not intended for Minors. By“Minors”,we mean: (i) users under the age of 18 years old; or (ii) in the case of a region where the minimum age for processing Personal Data differs, such different age. We do not knowingly solicit or collect Personal Data from Minors for any purpose unless such information are voluntarily provided or consented by a parent or a legal guardian. If you believe that we have Personal Data of a Minor without lawful consent, or if you are the parent or guardian of the user of a relevant Minor and wish to withdraw consent, please contact us in accordance with Section 5 (Contacting us) below. For more information about how we collect, process, and protect Personal Data of Minors, please refer to Minors’Privacy Policy. If you are a parent or a legal guardian of a Minor, please read the Minors' Privacy Policy before sharing any Minor's Personal Data with us.

 

By providing Personal Data to us, you agree to the processing and use set out in this Privacy Policy and have obtained corresponding authorisation (if required). If you do not agree to the processing of Personal Data in the way this Privacy Policy describes, please do not provide such data and stop using the Services.

 

We have organised and composed the Privacy Policy by major processes and scope of information processing so that you can easily browse the information of most interest to you.

 

1. How we collect and use Personal Data

2. How we share Personal Data

3. How we transmit, protect, and store Personal Data

4. Your rights

5. Contacting us

6. Cookies

7. Changes to the Privacy Policy

8. Other sites

 

Annex I: Local Specific Provisions – California

Annex II: Local Specific Provisions – China

Annex III: Local Specific Provisions – Türkiye

Annex IV: Local Specific Provisions – Philippines

 

1. How we collect and use Personal Data

 

1.1 This section provides more detail on the types of Personal Data we collect from you, and why. It also identifies the legal basis under which we process the relevant Personal Data, to the extent this is required by applicable laws.

 

 

 

1.2 In general, we may use the Personal Data set out above to assure your future comfort and attention to your individual needs, and/or assist in developing new services and products and to improve our existing services and products. It is in our legitimate interest to continuously improve and develop our Services. In addition, we may use the above information to comply with our legal obligations, to safeguard our legal rights including (without limitation) in relation to the defence of any claims, and to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world. We are obliged to meet our legal obligations, and it is in our legitimate interest to safeguard our legal rights.

 

1.3 There are several ways by which we may collect your Personal Data from you:

• we may collect your Personal Data from you directly by engaging with you, for example, through our Apps, when you make a direct booking on our Websites, or when you book or purchase our service or product in-person;
• we may also collect Personal Data from third parties, including agents and online service providers that make hotel, spa or restaurant reservations on your behalf, facilitate online payments or gift purchases or that are otherwise involved in the reservations process or delivering our Services to you; and
• we may also collect Personal Data from you through your activity on social media platforms that link to us such as Facebook fan pages or WeChat Official Account, or when you share content, photographs or follow us. Please note that these social media platforms will have their own privacy policies and procedures governing the processing of your Personal Data.

 

1.4 If you provide us with Personal Data about other individuals (e.g., family members or travel companions), regardless of whether you are travelling together, you must obtain such individuals' authorisation or consent to provide us with their details and let them know where they can find a copy of this Privacy Policy.

 

1.5 We may combine information that we have collected offline with information we collect online. We combine information across devices, such as computers and mobile devices. We may also combine information we receive from a third party with information we already have.

 

2. How we share Personal Data

 

2.1 Only where necessary will we share your Personal Data with third parties. Situations where this may occur include the following:

 

 

(a) Affiliates ► To provide you with Services and ensure the consistency of service standard and business management, we may share your Personal Data with the affiliates in the HSH Group. Our affiliates have signed an intra-group data sharing agreement and may only use your Personal Data in accordance with this Privacy Policy. You may find a list of the relevant affiliates by clicking here.

 

(b) Third party service providers who process Personal Data on our behalf to help us undertake the activities described in the Section 1 ► We may permit selected third parties such as service providers, agents, contractors, entities, which may include the property/hotel owner, and/or other HSH Group companies, to use your Personal Data for the purposes set out in Section 1 (How we collect and use Personal Data) above, including:

1. specialised agents helping us to provide advertisements and promotional campaigns and events and analyse their effectiveness, to manage your communications and questions to us, to maintain the relationship with you, to provide personalised services for you, and to send marketing communications to you with your consent in advance;
2. third party vendors helping us to deliver products to you, such as post offices and couriers;
3. payment service providers and credit reporters helping us to assess your credit score, to verify your information (if and when this is required for signing certain contracts) and to process your online payment;
4. third party vendors helping us to provide customer or concierge services and customer care;
5. travel agencies, firms or companies helping us to provide training, seminars, banquets, events, personalized experience services; and
6. consulting firms helping us to manage client relationship and to provide reports and analysis of market research and customer surveys.

 

(c) Law enforcement agencies, government authorities, regulators, and the court to comply with our legal obligations or to handle incidents/claims ► We may disclose your Personal Data when required by relevant laws or by court order or requested by other government or law enforcement authorities to assist with proceedings or investigations. In such circumstances, unfortunately, we may not be able to seek your consent to, or notify you in advance of, such disclosure.

 

(d) Third parties to safeguard our legal rights and property ► We may disclose your information to third parties in order to:

1. enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
2. detect, prevent or otherwise address security, fraud or technical issues; or
3. protect the rights, property or safety of us, our customers, a third party or the public as required or permitted by law (such as exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).

 

(e) Third parties who require such data in connection with a change in the structure of our business ► We may also disclose your Personal Data to a prospective buyer, new owner or other third party involved in any of the following transactions or change to our business (including any negotiations regarding any such transaction or change): (i) sale, transfer, merger, consolidation or reorganisation of any part(s) of our business, or merger with, acquisition or formation of a joint venture with any other business; or (ii) sell or transfer any of our assets (in which case the Personal Data may be sold as part of those assets).

 

2.2 All third-party service providers providing services to or for us are prohibited from retaining, using or disclosing your Personal Data for any purpose except where strictly necessary for the Services (i.e., for the purposes described above).

 

2.3 This Privacy Policy does not apply to third-party service providers (e.g., airlines, online travel agents, car rental companies, table booking websites) who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable third-party provider's privacy policy before providing your personal information.

 

3. How we transmit, protect, and store Personal Data

 

Security of communications

 

3.1 We take commercially reasonable administrative (e.g., information security and access policies), technical, and physical safeguards designed to protect the Personal Data that we possess. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of Personal Data. We cannot guarantee the security of your Personal Data transmitted through the Services or otherwise via the Internet - any transmission is at your own risk. Unauthorised entry or use, hardware or software failure, and other factors may also compromise the security of your information. Further, while we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and to the extent legally permissible, we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions.

 

3.2 We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor's secure servers. Our server resides behind various measures such as firewalls, authentication, access control, integrity protection, encryption and anti-virus tools designed to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations will put in place additional measures that may be different depending on the applicable legal and regulatory requirements.

 

International Personal Data transfers

 

3.3 As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in Beijing, Shanghai, Paris, New York, Tokyo, etc. To achieve this goal, we have established a global network comprised of properties, offices, trusted service providers and associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other Group companies, properties, centres of operations, data centres, or service providers that may be domiciled in countries outside of your own for the purposes mentioned in this Privacy Policy. Currently, personal data may be transferred to our headquarters in Hong Kong as well as other countries or regions where we are present or have data servers, including mainland China, Singapore, Japan, Vietnam, United Kingdom, United States of America, Thailand, Turkey, the Philippines, and France. The relevant countries or jurisdictions for the purposes of any such cross-border Personal Data transfer will depend on your location.

 

3.4 For customers located in relevant jurisdictions, including without limitation the EEA or the UK, transfers between our affiliates in the HSH Group and to third parties use applicable safeguards, such as incorporating standard contractual clauses, obtaining your consent or taking into account adequacy assessments.

 

Storage of Personal Data

 

3.5 Your Personal Data will be stored for the period of time required to fulfil the relevant purpose described in Section 1 (How we collect and use Personal Data) above unless otherwise required or permitted by law. If information is used for two purposes, we will retain it until both purposes have been fulfilled, but we will stop using it for a purpose once that purpose is fulfilled.

 

4. Your rights

 

4.1 Some jurisdictions’ laws grant specific rights to users of the Services. Please refer to the Local Specific Provisions (set out in the relevant annexes to this Privacy Policy), or the applicable laws in your jurisdiction, for an overview of specific rights that may apply to persons subject to data protection laws in the listed jurisdictions and how these can be exercised.

 

4.2 Subject to Section 4.1 above, you may enjoy certain rights in relation to your Personal Data that we hold. Some of these rights only apply in certain circumstances (as set out in more detail below). If you wish to exercise any of these rights, please reach out to us in accordance with Section 5 (Contacting us) below and we will handle your request in line with the applicable law and regulations.

 

(a) Access: you may ask us to provide you with access to your Personal Data and further details on the use we make of your Personal Data and who we share your Personal Data with.

 

(b) Correction: you may ask us to correct any inaccuracies in the Personal Data we hold about you.

 

(c) Complaint: if you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you may complain to the data protection authority in your country.

 

(d) Erasure: you may ask us to delete your Personal Data if we no longer have a lawful ground for use, unless otherwise required or stipulated by applicable laws and regulations, but we will let you know if that is the case.

 

(e) Withdrawal of consent: where processing is based on consent (e.g., marketing, or certain uses of the special categories of Personal Data), and to the extent provided by applicable laws and regulations, you may withdraw your consent to certain processing activity or activities by us by contacting us, and we will stop that particular processing activity. Where consent is required to process your Personal Data, if you do not consent to the processing or if you withdraw your consent, we may not be able to deliver the expected service. Please note that the right to withdraw consent is only available if the legal basis for processing Personal Data is consent.

 

(f) Object to processing: you may object to our processing of your Personal Data. If you wish to do so, please contact us and we will consider your request.

 

(g) Restriction: you may require that we stop processing your Personal Data (other than for storage purposes in certain circumstances). Please note, however, that if we stop processing such Personal Data, we may use it again if there are valid grounds under data protection laws for us to do so (e.g., for the defence of legal claims or for another's protection).

 

(h) Portability: you may have the right to receive a copy of certain of your Personal Data we process about you. For example, in certain jurisdictions this can comprise Personal Data we process on the basis of your consent (e.g., survey information) or pursuant to our contract with you (e.g., account name), as described in Section 1 (How we collect and use Personal Data) above. We will provide further information to you about transferring this Personal Data if you make such a request.

 

(i) Advertising: You may choose to stop receiving personalised advertising or marketing promotions from us when using the Services by following the instructions of any marketing materials provided via email, by updating your preferences in your “My Peninsula” or “Peninsula Perfect Companion” account (where applicable) or by contacting us.

 

4.3 Where we act as a data processor, you should contact the data controller to exercise any of your rights.

 

4.4 Notwithstanding the foregoing, we may from time to time send you announcements when we consider it necessary to do so (for example, when we need to inform you about maintenance, security or safety matters at our properties). These are essential system and Service-related announcements, and you are not able to opt-out of these notifications, which are not promotional in nature.

 

Updating information

 

4.5 We will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your account in “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge” (where applicable) or by contacting us in accordance with Section 5 (Contacting us) below.

 

5. Contacting us

 

5.1 If you have any questions about this Privacy Policy or our processing of your Personal Data, or otherwise want to exercise any rights you may have, please contact us at:

        

Data Privacy Team

 

The Hongkong and Shanghai Hotels, Limited

8/F St George’s Building

2 Ice House Street

Central, Hong Kong SAR

Phone: +852 2926 2888

Email: privacy@peninsula.com

 

5.2 You can also reach out to our representatives for data protection purposes as follows:

        

Representative in the European Union at:

 

Peninsula Paris Hotel Management SARL

Ref: “EU Representative”

 

c/o The Peninsula Paris

19 avenue Kléber,

Paris, France, 75116

 

Attention: Executive Office / HSH Management Services Limited

Phone: +33 1 5812 2888

Email: privacy@peninsula.com

 

Representative in the United Kingdom at:

 

Peninsula London Limited

(Acting as general partner on behalf of Peninsula London, LP)

Ref: “UK Representative”

c/o The Peninsula London

1 Grosvenor Place, London

SW1 7HJ, United Kingdom

 

Attention: Executive Office / HSH Management Services Limited

Phone: +44 20 3959 2888

Email: privacy@peninsula.com

 

Representative in Thailand at:

 

Siam Chaophraya Holdings Company Limited

Ref: “Thailand Representative”

c/o The Peninsula Bangkok

333/1 Charoennakorn Road, Klongton-Sai,

Klongsan, Bangkok 10600, Thailand

 

Attention: Executive Office / HSH Management Services Limited

Phone: +66 2 020 2888

Email: privacy@peninsula.com

 

Representative in Türkiye at:

 

PIT İstanbul Otel İşletmeciliği Anonim Şirketi

Ref: “Türkiye Representative”

c/o The Peninsula Istanbul

Karaköy, Kemankeş Karamustafapaşa Mahallesi, Kemankeş Caddesi No:34,

34425 Beyoğlu, Istanbul, Türkiye

 

Attention: Executive Office / HSH Management Services Limited

Phone: +90 212 931 2888

Email: privacy@peninsula.com

 

5.3 We will endeavour to deal with your request within a reasonable time. This is without prejudice to any right you may have to launch a claim with a data protection authority in the region in which you live or work where you think we have infringed data protection laws.

        

6. Cookies

 

6.1 Our Websites and Apps use cookies and other technologies to distinguish you from other users of the relevant website. Cookies are small files which, when placed on your device helps us provide you with a good experience when you browse our Websites and also allows us to improve our Websites. For detailed information on the cookies that we use and the purposes for which we use them, please refer to our Cookies Policy.

 

7. Changes to the Privacy Policy

 

7.1 In the future, we may need to make changes to this Privacy Policy. All changes will be included in the latest Privacy Policy published on our Websites or Apps, so that you will always understand our current practices with respect to the Personal Data. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. If required by the applicable laws and regulations, we will notify you of any major changes to this Privacy Policy. Unless otherwise required by the applicable laws and regulations, you will be deemed to have accepted and agreed the revised Privacy Policy then in effect by visiting our websites or using our services after such changes.

 

8. Other sites and languages

 

8.1 Our Websites or Apps may contain links to other third-party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you provide any personal information to such third-party websites.

 

8.2 Except as otherwise prescribed by law or as expressly set out, in the event of any discrepancy or inconsistency between the English version and local language version of this Privacy Policy, the English version shall prevail.

 

Annex I: Local Specific Provisions – California

 

1. Scope and application

 

This section applies to California residents covered by the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, “CCPA”). For the purposes of this section, “personal information” and “sensitive personal information” have the meanings given in the CCPA and do not include information excluded from the CCPA’s scope.

 

2. Collection and disclosure of personal information

 

Over the past 12 months, we have collected, and disclosed for a business purpose, the following categories of personal information from or about you or your device:

• personal information that you provide to us, or that we obtain from public channels, including your name, language preference, telephone number, email address and (residential and/or delivery) address and records of your trading history with us;
• registration information of accounts with us, including the username and password that you provide to us for registering an account of “My Peninsula”, “Peninsula Perfect Companion” or “Mobile PenKey Concierge”;
• your payment information such as your credit card information (including credit card number, code and expiry date) and your bank account details;
• if you contact us, our correspondence via email, telephone or other means of communication, for any purpose (e.g., making enquiries to us before or after a transaction with us);
• social media account information including, depending on your interactions with various social media platforms linked to us or with which we engage, your profile names, account ID, photographs, posts, etc., that are publicly available;
• visual and/or aural recordings or images recorded by close circuit television systems installed to the extent appropriate, relevant and permitted by applicable laws and regulations;
• information that you have provided when completing our surveys that we use for research purposes;
• information relating to your usage of our Website and Apps, including details of your visits to our Website, Apps and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access;
• your travel details and preferences including your travel details (including flight number, arrival and departure dates and time, country/region of origin and destination), your frequent flyer information, your travel partner’s information (including accompanying family members, partners or friends), employment information (applicable to group reservation), preferences for room, food and beverages and treatment, internet access, and services (including important dates or anniversaries). We may also collect information as required by local laws such as the number of identity card or passport, type of entry visa, driver’s license, date and place of birth, gender, title, nationality, etc.;
• information on your itemised spending with us to properly assemble your folio during your stay, which includes your room rate and other expenses billed to your room;
• your information via dedicated accounts such as “My Peninsula” or “Mobile PenKey Concierge”, to provide customised services according to your requests, such as your drivers’ license number for renting a car for you and other information to provide lifestyle experiences and sourcing services for goods, foods, entertainments, etc.;
• certain information to satisfy your requests for related services, including (but not limited to) license plate numbers (applicable to residential and commercial leasing), personal information of co-habitant(s) or visitor(s) (applicable to residential leasing), food and beverages preferences and requests (applicable to provision of food and beverages services), itinerary and activity arrangement (applicable to provision of banquet or transport services), etc.; and/or
• information if you submit to us voluntarily in connection with an investment or potential investment in us, including but not limited to your full name, email address and addresses, percentage of share and vote, phone number, employer and other personal information strictly in connection with the investment and, if appropriate, copy of your identification document. We also use any personal information that the Hong Kong Share Registrar of The Hongkong and Shanghai Hotels, Limited (currently, Computershare Hong Kong Investor Services Limited) already hold about you.

 

We collect and disclose your personal information for the following purposes:

• to provide you with the Services, process reservation requests and enable and charge for (i) hotel related services, including but not limited to accommodation, food and beverages and spa treatment; and (ii) non-hotel services and information including residential clubs, banquet events, commercial and residential leasing, concierge and transport services;
• to complete your orders or purchases when you purchase a Peninsula gift certificate, pre-paid card or merchandise;
• to customise and improve our Services and products;
• to provide you with updates, offers, subscriptions and other marketing materials relating to our Services to you where you have chosen to receive these;
• to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers such as personal injury claims; and
• to provide investment-related services to you, register to participate in a company webcast or other live streaming or digital meeting format, as well as complete various investor relations processes.

For additional information about what each type of personal information is used for, please refer to Section 1 (How we use Personal Data) above.

 

We disclose each of the categories of personal information that we collect to the following types of entities:

• affiliates in the HSH Group in order to provide you with Services and ensure the consistency of service standard and business management;
• selected third parties such as service providers, agents, contractors, entities, which may include the property/hotel owner, and/or other HSH Group companies, to support our use of your Personal Data as set out in Section 1 (How we use Personal Data) above, including:

• specialised agents;

• third party vendors providing delivery services;

• payment service providers and credit reporters;

• third party vendors providing customer or concierge services and customer care;

• travel agencies, firms or companies; and

• consulting firms;

• law enforcement agencies, government authorities, regulators, and the court to comply with our legal obligations or to handle incidents/ claims. In such circumstances, unfortunately, we may not be able to seek your consent to, or notify you in advance of, such disclosure;
• Third parties to ensure safety, security or compliance with laws, including to:

• enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;

• detect, prevent or otherwise address security, fraud or technical issues; or

• protect the rights, property or safety of us, our customers, a third party or the public as required or permitted by law.

• a prospective buyer, new owner or other third party involved in any of the following transactions or change to our business (including any negotiations regarding any such transaction or change): (i) sale, transfer, merger, consolidation or reorganisation of any part(s) of our business, or merger with, acquisition or formation of a joint venture with any other business; or (ii) sell or transfer any of our assets (in which case the Personal Data may be sold as part of those assets).

 

In the past 12 months, we have not sold or shared personal information of California residents within the meaning of “sold” or “Share” in the CCPA. We also have no knowledge of any sale or sharing of personal information of users under 16 years of age.

 

In addition, we do not use or disclose sensitive personal information for purposes other than to perform the services reasonably expected by an average consumer who requests those services.

 

3. Retention of your personal information

 

The retention period varies for the different categories of data collected. For more information about the retention period, please see Section 3 (How we transmit, protect, and store Personal Data) above.

 

4. Rights under the CCPA

 

If you are a California resident and the CCPA does not recognise an exception that applies to you or your personal information, you have the right to:

• request we disclose to you free of charge the following information covering the 12 months preceding your request:

• the categories of personal information about you that we collected;

• the categories of sources from which the personal information was collected;

• the purpose for collecting personal information about you;

• the categories of third parties to whom we disclosed personal information about you and the categories of personal information that was disclosed (if applicable) and the purpose for disclosing the personal information about you; and

• the specific pieces of personal information we collected about you;

• request we delete personal information we collected from you, unless CCPA recognises an exception;
• request we correct inaccurate personal information that we maintain about you; and
• be free from unlawful discrimination for exercising your rights including providing a different level or quality of services or denying goods or services to you when you exercise your rights under the CCPA.

We target to fulfil all verified requests within the period stipulated by the CCPA, being 45 days as at the date of this Privacy Policy. If necessary, extensions for an additional 45 days will be accompanied by an explanation for the extension.

 

5. How to exercise your rights

 

If you are a California resident to whom the CCPA applies, you may also exercise your rights, if any, regarding other data by contacting us in accordance with Section 5 (Contacting us) above. We may take steps to verify your identity before complying with your request to protect your privacy and security, and may decline your request if we are unable to verify your identity. To verify your identity, we may need the following information from you: your first name, last name, address, phone number, date of birth and email address.

 

Under the CCPA, you may exercise these rights yourself or you may also designate an authorised agent to make these requests on your behalf. In order for us to process the request, you must provide the authorised agent with signed written permission. We reserve the right to require the agent to verify their own identity and to confirm directly with you that you have provided the authorised agent permission to submit the request.

 

6. Contacting us

 

If you have questions or concerns regarding this Privacy Policy, please contact us in accordance with Section 5 (Contacting us) above.

 

Additionally, for our US properties, we have the following toll-free numbers available for you to make a request in relation to your Personal Data to us:

 

(a) The Peninsula Beverly Hills: +1 800 462 7899

(b) The Peninsula Chicago: +1 866 288 8889

(c) The Peninsula New York: +1 800 262 9467

(d) Quail Lodge & Golf Club: +1 866 675 1101

 

Annex II: Local Specific Provisions – China

We have prepared this Annex II in accordance with the Personal Information Protection Law of the People's Republic of China (“PIPL”) or residents of the People’s Republic of China (which, for the purpose of the Annex II of this Privacy Policy only, excluding Hong Kong SAR, Macao SAR and Taiwan, “China”) and individuals who are in China. In case of any conflict between this Annex II and the main text of this Privacy Policy, this Annex II shall prevail.

 

1. To whom we share Personal Data

 

As set out in Section 2 (How we share Personal Data) above, where permitted by the applicable laws and regulations, we may share your Personal Data with our affiliates, service providers, agents, contractors, and other business partners when and if it is necessary to do so. You may find a list of our affiliates to which we share your Personal Data and to know their details by clicking here. In addition, you may contact our Data Privacy Team in accordance with Section 5 (Contacting us) above to obtain information of our business partners and to whom we share your Personal Data.

 

2. Software Development Kits (SDK) Provided by Third Parties

 

To provide you with a better service experience, our websites or online channels may contain SDK from third-party providers to whom we may share your Personal Data when you use our Services. You may find details of these SDKs and their operators below:

 

 

We will conduct necessary security testing to all third-party SDKs and require third-party providers to implement strict measures to protect the security of your Personal Data. Meanwhile, we may update the SDKs’ information according to changes in service requirements and business functions from time to time. You can find the most updated version in our latest Privacy Policy.

 

3. Personal Data transmission across international borders

 

In principle, the Personal Data that is generated or collected by us in China will be stored in China. However, to process your reservation and payment and to provide with you our Services, we may need to transfer your Personal Data outside of China. Data protection laws in these countries or regions may be different from those in China and the level of protection to your Personal Data may vary accordingly.

 

If your Personal Data is transferred outside of China, we will take appropriate protective measures as required by the laws and regulations in China, including, as appropriate, carrying out personal data protection impact assessments, obtaining necessary certification from the competent authorities, conducting security assessment by qualified third-party institutes, and/or signing the standard contractual clauses issued by the Cyberspace Administration of China with overseas recipients.

 

4. Special protection of Minors’ Personal Data

 

Please note that our websites and our products and services are not intended for Minors (i.e., persons under the age of 18) unless expressly stated in the relevant descriptions. We do not knowingly solicit or collect Personal Data of Minors. To ensure that guardians of Minors can make informed decisions regarding provision of Minors’ Personal Data when purchasing and using products and services provided by us, we have published the Minors’ Privacy Policy to explain how we collect, store, use, transfer or disclose the Minors’ Personal Data. If you are a Minor’s guardian, please read and understand the Minors’ Privacy Policy.

 

5. Contacting us

 

In addition to contacting us in accordance with Section 5 (Contacting us) above, you may contact our data protection officers in China as follows:

 

The Hongkong and Shanghai Hotels, Limited

8/F St George’s Building

2 Ice House Street

Central, Hong Kong SAR

Phone: +852 2926 2888

Fax: +852 2732 2933

Email: privacy@peninsula.com

 

Data Protection Officer in China Mainland

 

The Palace Hotel Ltd.

8 Goldfish Lane, Wangfujing, Beijing

The Peninsula Beijing

Phone: +86 10 8516 2888

Email: privacy@peninsula.com

 

The Peninsula Shanghai Waitan Hotel Company Limited

No. 32, The Bund 32 Zhongshan Dong Yi Road, Shanghai

The Peninsula Shanghai

Phone: +86 21 2327 2888

Email: privacy@peninsula.com

 

Peninsula Merchandising (Shenzhen) Company Limited

D16, F/8, Block B, Aerospace Science and Technology Plaza, 3rd Street of Haide, Nanshan District, Shenzhen

Phone: +86 0755 2657 9989

Email: privacy@peninsula.com

 

Please allow 15 business days for us to process any data access requests. Where the request involves complex information gathering, we will advise you of the additional time needed to process your request.

 

Annex III: Local Specific Provisions – Türkiye

 

1. Scope and application

 

Annex III has been formulated in compliance with Law No. 6698 concerning the Protection of Personal Data ("KVKK" or “the Law”) for individuals within the Republic of Türkiye whose personal information has been processed within the scope of HSH Group's operations. Should any discrepancies arise between the application of this Annex and the primary content of this Privacy Policy, the regulations and explanations provided within this Annex shall take precedence. This Annex is available in English and Turkish. If there is any inconsistency or different interpretation between the English and Turkish versions, the Turkish text shall prevail.

 

2. Collection, disclosure, and retention of personal data

 

As outlined in Section above, we may share your personal data with our affiliates, service providers, agents, contractors, and other business partners. We will do so only when permitted by the Law. You can access our full Privacy Policy and the categories of personal data we process in Turkish via this link.

 

 

Additionally, you can reach out to the Data Privacy Representative of The Peninsula Istanbul by contacting us at privacy@peninsula.com or as per the instructions provided in Section 5 (Contacting us) above to obtain information about our business partners and the recipients of your personal data.

 

 

The duration for which we retain different categories of processed personal data varies according to our legal bases for collecting your data. Once there is no legitimate base for your personal data to be in our system, your personal data will be anonymised or destroyed in accordance with the Law.

 

3. Collection of special categories of personal data

 

According to the KVKK, personal data pertaining to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade unions, data concerning health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are classified as special categories of personal data. We do not process such data without your explicit consent unless the processing is permitted by any applicable law.

 

4. Data transfer abroad

 

Typically, any personal data we process in Türkiye is stored within the Republic of Türkiye. However, for tasks such as managing your reservations, processing payments, and providing our Services, it may be necessary to transfer your personal data overseas. It is essential to acknowledge that data protection laws in these foreign countries or regions may differ from those in Türkiye, potentially impacting the level of protection afforded to your personal data.

 

If indeed your personal data is transferred outside of Türkiye, we will implement appropriate precautionary measures as required by applicable laws and regulations to protect your privacy rights. These measures may include:

• transferring within the HSH Group will be covered by an intra-group data sharing agreement entered into by the group companies and affiliates of HSH Group which contractually obliges each group company/affiliate to ensure that your information receives an adequate and consistent level of protection wherever it is transferred within the HSH Group;
• where we transfer your data outside of the HSH Group including to other companies providing us with a service, we will obtain contractual commitments and assurances from them to protect your information. Some of these assurances includes conducting personal data protection impact assessments, obtaining necessary certifications from relevant authorities, engaging qualified third-party institutes for security assessments, and/or adhering to standard contractual clauses issued by the Turkish Personal Data Protection Board; and
• we will only transfer personal data to countries which are recognised as proving an adequate level of legal protection, or where we can be satisfied that alternative arrangements are in place to place to protection your privacy rights in accordance with the KVKK regulations, or after having obtained explicit consent from you.

5. Rights under the KVKK

 

As a data subject, you have the right to request from the data controller;

 

1) To learn whether your personal data has been processed or not,
2) To demand for information as to your personal data that has been processed,
3) To learn the purpose of processing of your personal data and whether these personal are used in compliance with the purpose,
4) To know the third parties to whom your personal data are transferred in country or abroad,
5) To request the rectification of the incomplete or inaccurate data, if any,
6) To request the erasure or destruction of your personal data under the conditions referred to in the Law
7) To request reporting of the operations carried out pursuant to sub-paragraphs (5) and (6) to third parties to whom your personal data have been transferred,
8) To object to the occurrence of a result against yourself by analysing the data processed solely through automated systems
9) To claim compensation for the damage arising from the unlawful processing of your personal data.

 

 

In order to protect both your privacy and security, we may need to verify your identity before fulfilling your request. If we are unable to confirm your identity, we may decline your request. To verify who you are, we may ask for specific details such as your first and last name, address, phone number, date of birth, and email address.

 

6. Contacting us

 

As a data subject, if you wish to make requests concerning the implementation of the KVKK to the data controller, you are entitled to do so. Should you have any concerns or inquiries regarding this Privacy Policy, please reach out to us following the instructions provided in Section 5 (Contacting us) above.

 

Furthermore, apart from contacting us as outlined in Section 5, you have the option to reach out to The Peninsula Istanbul for inquiries regarding your personal data:

 

Address: Kemankeş Caddesi No:34, Kemankeş Karamustafapaşa Mahallesi, Karaköy, 34425 Beyoğlu, Istanbul, Türkiye
Telephone: +90 212 931 2888
Email: privacy@peninsula.com

 

We will handle any request for accessing data in line with the KVKK (at latest within 30 days). In cases where the request involves gathering complex information, we will notify you of the additional time required to process your request. Please be aware that if your request incurs additional costs, fees may be applied accordingly.

 

Execution Date: 24 September 2024

 

Annex IV: Local Specific Provisions – Philippines

 

We have prepared this Annex IV in accordance with Republic Act No. 10173, or the Data Privacy Act of 2012 (“DPA”), for residents of the Philippines and individuals who are in the Philippines. This Annex supplements the main body of the Privacy Policy. However, in case of any conflict between this Annex IV and the main text of this Privacy Policy, this Annex IV shall prevail.

 

1. Processing of sensitive personal data

 

Under the DPA, certain categories of personal data are classified as “sensitive personal data”. These include personal data about an individual’s race, ethnic origin, marital status, age, color, and religious, and philosophical or political affiliations; health, education, genetic or sexual life, and criminal proceedings; and social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns.

 

We do not process sensitive personal data without your explicit consent unless the processing thereof is permitted under the DPA, such as where the processing is necessary to protect your life and health or that of another person, and you are not legally or physically able to express your consent prior to the processing; or the processing concerns sensitive personal data necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate.

 

2. Retention of personal data

 

The duration for which we retain different categories of processed personal data varies according to our legal bases for collecting your data. Once there is no more basis for your personal data to be retained in our system, your personal data will be discarded or disposed of in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice your interest.

 

3. Your rights as a data subject

 

As a data subject, you are entitled to the following rights:

 

a) Right to be informed: You have a right to be informed whether personal data pertaining to you shall be, are being, or have been processed, including the existence of automated decision-making and profiling. You shall be notified and furnished with the following details before the entry of your personal data into our processing system, or at the next practical opportunity:

1. Description of the personal data to be entered into the system;
2. Purposes for which they are being or will be processed, including processing for direct marketing purposes;
3. Scope and method of the processing of personal data;
4. The recipients or classes of recipients to whom the personal data are or may be disclosed;
5. Methods utilized for automated access, if you allow the same, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences to you of such processing;
6. Our contact details;
7. The period for which your personal data will be stored; and
8. The existence of your rights as data subject, including the right to access, correction, and objection to the processing, as well as the right to lodge a complaint before the National Privacy Commission.

b) Right to object: You shall have the right to object to the processing of your personal data, including processing for direct marketing, automated processing or profiling. Where your consent was the basis for the processing of your personal data, you shall also be notified and given an opportunity to withhold consent to further processing in case of any changes to the details that were supplied or declared to you when we first obtained your consent.

When you object or withhold consent, we shall no longer process your personal data, unless:

1. The personal data is needed pursuant to a subpoena (e.g., a court order);
2. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to our contract with you and / or to provide and support the Services;
3. The personal data is being collected and processed as a result of a legal obligation that we will fulfill to you.

c) Right to access: You have the right to reasonable access to, upon demand, the following:

1. Contents of your personal data that were processed;
2. Sources from which personal data were obtained;
3. Names and addresses of recipients of the personal data;
4. Manner by which such personal data were processed;
5. Reasons for the disclosure of the personal data to recipients, if any;
6. Information on automated processes where your personal data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect you;
7. Date when personal data concerning yourself were last accessed and modified by us; and
8. Our details as the personal information controller.

d) Right to rectification: You have the right to dispute the inaccuracy or error in your personal data and have us correct it immediately and accordingly, unless we find that the request is vexatious or otherwise unreasonable. If the personal data has been corrected, we shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof. Upon your reasonable request, we will also inform third parties who have previously received such processed personal data of its inaccuracy and its rectification.

e) Right to erasure or blocking: You shall have the right to suspend, withdraw or direct the blocking, removal or destruction of your personal data from our system. This right may be exercised by you upon presenting to us substantial and satisfactory proof of any of the following:

1. Your personal data is incomplete, outdated, false, or unlawfully obtained;
2. Your personal data is being used for an unauthorized purpose;
3. Your personal data is no longer necessary for the purpose for which it was collected;
4. You withdraw consent or object to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
5. Your personal data concerns private information that is prejudicial to you, unless justified by freedom of speech, of expression, or of the press, or otherwise authorized;
6. The processing of your personal data is unlawful; or
7. We violated your rights as a data subject.

f) Right to damages: You shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering the violation of your rights and freedoms as a data subject. Indemnification will be available upon substantial proof of actual damages sustained.

g) Right to data portability: Where your personal data is processed by us by electronic means and in a structured and commonly used format, you shall have the right to obtain from us a copy of such data in an electronic or structured format that is commonly used and allows for further use by you. The exercise of this right primarily considers your right to have control over your personal data that is being processed based on consent or contract, for commercial purpose, or through automated means.

In case of death or incapacity, your lawful heirs and assigns may invoke to us the specific right of the data subject to which he or she is an heir or an assignee, at any time after your death, or when you become incapacitated or incapable of exercising such right.

 

 

4. CCTV recordings

 

To ensure the security of our property, (where applicable) to comply with our legal obligations, to handle any accidents (such as liaising with emergency services) and medical service requests, and to handle any claims made by customers, the property is monitored by Closed Circuit Television (CCTV) cameras which capture and record footage and audio (“CCTV recordings”) which may identify you and detect your movements while you are within and around the property.

 

We ensure you that our CCTV cameras are placed in such a way that your privacy will not be intruded. There are no CCTV cameras inside hotel rooms, in restricted areas, and in common areas where you may have a reasonably heightened expectation of privacy (e.g., rest rooms and toilets).

 

Access to the CCTV recordings is carefully controlled and is restricted to individuals who have the need to access them. CCTV recordings are generally stored in our systems for thirty (30) calendar days. Otherwise, CCTV recordings shall be retained only for as long as necessary to fulfill the purpose for which they are obtained. They shall be destroyed upon the expiration of the said retention period or once they are no longer needed for any of the purposes specified herein.

 

You may exercise your rights as a data subject, as enumerated above, in relation to CCTV recordings. These rights include the right to request a copy of the CCTV recordings which involve you. However, we will evaluate on a case-to-case basis, in accordance with the lawful basis for processing of personal data, any request from you of CCTV recordings which do not involve you, or which involve any individual other than yourself.

 

CCTV recordings may be disclosed by us in the following cases: (a) law enforcement and criminal investigations; (b) court order; (c) administrative investigations; (d) request from the media; and (e) approved third-party requests.

 

This policy on CCTV recordings within and around the property should be read together with the Data Privacy and Security Policy.

 

6. Contacting us

 

In addition to contacting us in accordance with Section 5 (Contacting us) above, you may contact our data protection officer in the Philippines to exercise your rights through the following:

 

The Data Protection Officer
The Peninsula Manila
Corner of Ayala and Makati Avenues, 1226 Makati City, Metro Manila, Philippines
Phone: +63 2 8887 2888
Email: privacy@peninsula.com

 

Execution Date: 4 November 2024