- Detailed information regarding what personal data and other information we collect from you, how we collect it, and how it is used;
- Further descriptions of the parties with whom and for what purposes your data is shared.
Penta manages the hotels on behalf of third party hotel owners (“Owners”), which includes determining the purposes and means of the processing of personal data in the course of the operation of the hotel. When information is collected from you at the hotel, including when you make reservations in the hotel, Penta is the responsible controller of your personal data and the processing of your information will be governed by Penta’s privacy practices as set out herein, unless specifically set out otherwise. Whenever reference is made to “Services” herein, its shall equally mean “Offline Services”.
Different privacy policies may apply to other parts of our web presence – for example, web pages for online recruitment.
Our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements, such that our practices may be more limited in such jurisdictions. We will specifically inform you, if this is the case.
- What Information Does Penta Collect?
- When is Your Personal Data Collected?
- Why is Personal Data Used?
- When Do We Disclose Your Personal Data?
- What Cookies and Other Technologies Does Penta Collect?
- How Do We Protect Your Personal Data?
- Third-Party Websites and Services
- Cross-Border Data Transfers
- How Long is Your Personal Data Retained?
- How Can You Manage Your References and Information?
- What Are Your Rights Regarding Your Personal Data?
- What Information is Collected from Children?
- What About Policy Modifications?
- How to Contact Us
1.1 Personal Data
- Your name, e-mail address, phone number, physical address (billing and shipping), company affiliation, title;
- Demographic information and location and government-issued identifiers;
- Your credit card and/or debit card details;
- Guest stay information, special requests and preferences (including preferred room type or floor, vacation preferences, amenities requested, language preferences, interests, hobbies, ages of children or companions and any other aspects of the Services used);
- IP addresses, online user account details and profiles when you log-in to your Penta member account;
- Social media account information, profile pictures or images;
- Information, feedback or content you provide regarding your marketing preferences, in surveys, comment cards, sweepstakes, or promotional offers on our Services and those of third parties;
- Images and visual recordings through the use of closed circuit television systems collected while visiting a Penta hotel, where permitted by applicable law;
- Conversations, including records or monitoring of guest service calls for quality assurance and training purposes, and other communications such as in-app messages or SMS text messages, where permitted by applicable law or based upon consent;
- Contact details concerning the employees of corporate accounts and vendors and other individuals with whom we do business (e.g., travel agents, bookers, event planners); and
- Other types of information that you voluntarily choose to provide to us.
1.2 Sensitive Personal Data
From time to time, you may provide or we may collect what is considered sensitive personal information or “special categories of personal data” under applicable privacy laws (herein referred to as “Sensitive Personal Data”). For example, you may disclose your religious affiliation to us when you host or attend an event at one of our hotels or when you provide your health information or dietary restrictions so that we can accommodate you during your stay.
We only process Sensitive Personal Data if and to the extent permitted and required by applicable law or with your express consent. Unless otherwise required by applicable law, you are not required to provide us with any of your Sensitive Personal Data. Should you choose not to, your decision would not prevent you from using our Services.
1.3 Personal Data from Third Parties
We may collect Personal Data related to you from third parties such as from payment card providers, travel agencies and online booking services, other Penta hotels you have previously visited, public databases, joint marketing partners, third parties who sell products and services under our brands and your social medial sites consistent with your settings on such services.
We collect Personal Data about you in a number of ways. These include:
When you make reservations, stay at a hotel or plan or attend an event. Visitors who elect to make reservations using our Services or Offline Services will be asked to supply specific Personal Data, including name, e-mail address and contact information, as well as information to secure the reservation, such as a credit card number. We collect your Personal Data to provide you with quality services, including when you purchase goods and services, inform us of any requests, or take advantage of services such as concierge services, health clubs and spa treatments, activities, equipment rentals, and child care services. If you plan or host an event with us, we collect meeting and event specifications, such as your name, contact details, date of event, occasion, number of guest rooms required, and length of stay. We also collect information about guests that are a part of your group or event.
From Owners. As set out above, we manage hotels on behalf of Owners. If you make a reservation to stay at a hotel managed by us directly with the Owner, we will obtain Personal Data such as your stay information and payment information from the Owner of that hotel and further determine the purposes and means of the processing of that Personal Data in the course of the operation of the hotel. Penta is therefore the responsible controller of your Personal Data and the processing of your information will be governed by Penta’s privacy practices as set out herein, unless specifically set out otherwise.
When you sign up for promotional offers and sweepstakes. We collect your e-mail address when you sign up for promotional offers, newsletters or sweepstakes.
When you provide your comments and feedback or communicate with us. We value our relationship with you and always strive to improve our services to you. We may collect Personal Data that you voluntarily share with us in surveys, guest feedback or comment cards, as well as on third-party websites. We also collect your Personal Data when you communicate with us via text or e-mail or other forms like WeChat.
When you share photos. We collect and publish photos and images you voluntarily share with us about your experience with us, which you may post on our Services.
From social media. We collect information from social media activity such as when you ‘like’ the Website, share content, share photos or follow us on social media sites like Facebook, Twitter, LinkedIn, Instagram, or WeChat. If you choose to log-in, connect with or link to Services using your social media account certain Personal Data is shared with us consistent with your settings within the social media service, such as location, check-ins, activities, interests, photos, status updates, as well as Personal Data that may be a part of your profile or friend’s profile.
From other sources. We may receive your Personal Data from other sources, like public databases, joint marketing partners, and other third parties including travel agencies and credit card partners.
When you inquire about development or Owner opportunities. We may collect your Personal Data including your e-mail address when you contact us to learn more about development or ownership opportunities with us.
We use your Personal Data in a number of ways as set forth below.
3.1 Performance of a Contract. We process your Personal Data in order to perform a contract with you, including to complete your reservation, provide you goods and services that you requested, or to inform Owners of your stay in order to render services to you while visiting a hotel or other property that we manage.
3.3 To Comply with Legal Obligations. We process your Personal Data where it is necessary to comply with legal obligations to which it may be bound. This includes complying with legal processes, responding to requests from public and government authorities around the world, and pursuing available remedies or limit damage we or other third parties may sustain.
3.4 With Your Consent. We process your Personal Data when it has your valid consent to do so, including to communicate (including by e-mail and SMS) with you during your stay, sending you after-stay promotional offers, newsletters and information on us, our Services, and other marketing communications in accordance with your preferences and to process Sensitive Personal Data you may have provided us in connection with your stay, for example, any dietary restrictions or special accommodations for physical and medical conditions.
3.5 Vital Interest. In certain circumstances when it is not possible to obtain your consent, it may be necessary for us to process your Personal Data, including Sensitive Personal Data you provided through our Services, where it is in your vital interest or in the interest of others, for example in the event of a medical emergency.
We may disclose or share your Personal Data as follows:
4.1 To Hotels. The Personal Data you provide to us in connection with making a reservation is shared with the respective hotel for purposes of meeting your reservation request. The hotel may be managed by us but owned by an independent third-party Owner. After your stay, we retain your Personal Data, including the details of your stay and your preferences (e.g., room, type, interest, hobbies, amenities used) to provide you personalized service during your next stay, subject to your preferences.
4.2 To Affiliates. We are part of a global enterprise and may disclose your Personal Data to other companies or hotels within our group, including in our offices in Hong Kong and in the European Economic Area in order to help render services to you associated with your stay at our hotels and to provide you marketing communications, consistent with your choices. The complete listing of our group companies is as follows:
Penta Hotel Holdings Limited (British Virgin Islands), Penta Hotels (Asia Pacific) Limited (Hong Kong); Penta Hotels Worldwide GmbH (Germany).
4.3 Commercial Service Providers and Suppliers. We may outsource the processing of certain functions and/or information to third parties that provide services such as Services hosting, data analysis, payment and credit card processing, order fulfilment, customer service, e-mail delivery, financial services companies, delivery services, advertising networks, and information technology. We also share your Personal Data with third-party providers that provide services such as spa treatment, salons, and restaurants within our hotels, or event planners or organizers of any event you plan or host with us.
4.4 External Partners. We may share your Personal Data with other partners, consultants and advisors who render services to us, including financial institutions, external auditors, lawyers, and credit card issuers.
4.6 Social Media and Message Boards. If you connect to one of our social media pages, we may disclose your Personal Data to your friends associated with your social medial account, to other website users, and to your social media account provider, in connection with your social sharing activities. We may make reviews, message boards, blogs and other user-generated content available to users. Any information disclosed in these areas is public information. You also should exercise caution when deciding to disclose your Personal Data in this context. We are not responsible for the privacy practices of other users including web operators to whom you provide information.
4.7 Business Transfers. From time to time, a hotel may be sold by its Owner, and Penta may cease to manage such hotel. In those circumstances, we may include Personal Data collected about you, or control of that Personal Data, as a business asset in any such transfer. For example, if we cease to operate a hotel property we do not own, the Owner may continue to have and use your Personal Data for continued business purposes consistent with the hotel’s operations, including direct marketing. Additionally, we may disclose your Personal Data to a buyer or other successor in the event of a merger, sale or other transfer event, in which Personal Data held by us about our users is among the assets transferred.
4.8 Anonymized Data. We may share aggregated data with third parties collectively in an anonymous way, which does not reveal Personal Data.
5.1 Automatic Data Collection. We may use automatic data collection technologies to collect certain statistical (non-personal) information about your equipment, browsing actions, and patterns, including (a) anonymized details of your visits to our Services, such as location, date and time of access; (b) information about your computer and internet connection, operating system, host domain, and browser type; and (c) details of referring websites actions, and patterns.
5.3 Social Media Plug-ins. One of the features of our Site is that it uses what are called social plugins (“plugins”) from the social networks LinkedIn, Facebook and Instagram. These plugins are indicated by the respective logo of the social network. When you access our Site, your browser establishes a direct connection with the servers of these social networks. The content of the plugin is transferred by the social network directly to your browser, which then integrates it into the Site.
- 5.3.1 Integration of the plugin causes Facebook, for example, to receive the information that you have loaded the corresponding page of our Site. If you are logged in with Facebook, it will be able to assign your visit to your Facebook account. Please note that an exchange of this information already takes place when you visit our Site, regardless of whether you interact with the plugin or not. If you interact with the plugins, such as by pressing the “Like” button, the corresponding information is sent directly to Facebook by your browser and saved there. You can find information on the purpose and extent of data acquisition as well as how the data is processed further and used by the social networks, together with your rights and optional settings to protect your private sphere, in the data protection notes of the social networks.
5.4 Wi-Fi and Location-Based Services. In the course and for the purpose of providing Wi-Fi services at our hotels and other properties, we may collect device identifiers (such as your IP address, or other unique identifier). Based upon your consent, we also may collect information about the physical location on your device through use of the Wi-Fi services or other technologies to provide you with personalized location-based services, such as to customized offers and promotions or to find a hotel near you.
5.5 Do Not Track. Currently, we do not alter our data collection and use practices in response to Do Not Track signals.
6.1 We maintain commercially reasonable security safeguards that are designed to protect the Personal Data we collect against unauthorized use, disclosure, alteration or destruction. Notwithstanding the steps we have taken to protect your Personal Data, no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to protect your information, we cannot guarantee or warrant that your Personal Data is under absolute security with the existing security technology.
6.2 Additionally, e-mail communication to and from our Services are not secure unless clearly noted otherwise. This is a risk inherent in the use of e-mail. Please be aware of this when requesting information or sending information or forms to us by e-mail.
7.1 Our Services may contain links to, or have features that are hosted by, other third-party websites or services that are not owned or controlled by us. For example, we give you the opportunity to connect, link, or share our Services (and the content you access) via certain social media websites.
8.1 The Personal Data and other information that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It also may be processed by staff operating outside the EEA who work for us or other entities acting as data processors processing data on our behalf. This includes staff and providers engaged in, among other things, the fulfillment of your request or order and the provision of support services. More information on to whom your data is disclosed can be found in Section 4.
8.2 To comply with applicable data protection law, we have implemented international data transfer agreements on the basis of EU Standard Contractual Clauses in order to provide appropriate and suitable safeguards for Personal Data transferred to countries outside the EEA where an adequate level of protection is not already guaranteed. A redacted copy (removing commercial terms) can be obtained by contacting us at the contact details provided in Section 14.
10.1 Commercial E-mails (EU and NON-EU). If you are a user based in the EU, we only send you commercial e-mails when we have obtained your explicit prior consent, except where we have obtained your e-mail address in the course of a sale or negotiations for a sale of a product or service and where the commercial e-mails are only marketing similar products or services. Independently from where you are based, you may choose to opt-out of receiving commercial e-mails from us by following the instructions contained in any of the commercial e-mails. Unsubscribing from one type of communication may not unsubscribe you from another type, unless you request to be unsubscribed from all types of information you receive from. Please note that even if you unsubscribe from commercial e-mail messages, we may still e-mail you non-commercial (transactional) e-mails related to your account and your transactions via the Services.
10.2 Owners (following termination or expiration of our management agreements) and Third-party providers may use your Personal Data for marketing purposes, however subject to your explicit prior consent when you are based in the EU. If you wish to opt-out of receiving offers directly from Owners and third-party providers, you can follow the instructions in the e-mails that they send you.
10.3 Text Messages and SMS. To opt out of text messages, reply STOP to the message you received or contact the hotel or property front desk to inform them you no longer wish to receive text messages]
10.4 Access and Connections to Social Media. If you registered with the Services through your social media account, or connected, linked, or shared your use of our Services via your social media profile, you can manage the permissions granted to such third-party social media services by accessing your user settings under your account. You also can remove our access to your social media account or otherwise control what information these third-party social media services share with us at any time by accessing the privacy settings in your social media account.
Under applicable law and regulations, you may, at any time, exercise certain rights, including the following:
11.1 Access. The right to request access to your Personal Data, which includes the right to obtain confirmation from us as to whether Personal Data concerning you is being processed, and where that is the case, access to the Personal Data and information related to how it is processed.
11.2 Rectify or Erase. The right to rectification or erasure of your Personal Data, which includes the right to have incomplete Personal Data completed.
11.3 Restrict. The right to obtain a restriction of processing concerning your Personal Data, which includes restricting us from continuing to process your Personal Data under certain circumstances (e.g., where you contest the accuracy of your Personal Data, for a period enabling us to verify the accuracy of the personal data).
11.4 Object. The right to object to the processing of your Personal Data under certain circumstances, including objecting to processing your Personal Data for direct marketing purposes, or objecting to processing your Personal Data when it is done based upon legitimate interests.
11.5 Data Portability. The right to data portability, which includes certain rights to have your Personal Data transmitted from us to you or another controller.
11.6 Consent. Where we process your Personal Data based on your consent, the right to withdraw consent at any time with effect for the future. Any requests related to the above rights may be made by contacting us as set forth in Section 14.
11.7 Complaint. In some jurisdictions, you may also have the right to lodge a complaint with a supervisory authority.
11.8 Privacy Rights for Residents of the Russian Federation: In accordance with Russian Federal Law "On Personal Data" No. 152-FZ we collect, record, systematize, accumulate, store, update (renew and modify), and extract personal data about Russian citizens using databases located in the territory of the Russian Federation. As information containing personal data may be transmitted from the Russian Federation to countries that ensure an adequate level of protection for personal data, including member states of the European Union and other countries which Russian law recognizes as ensuring adequate to protection, we duplicate personal data of residents of the Russian Federation on our systems as required to deliver the requested services. By submitting information to us on our Services, submitting membership forms to us or making reservations, you grant us consent to process your personal data.
11.9 Privacy Rights for California Residents. Under California Civil Code section 1798.83, California residents who have an established business relationship with us are entitled to ask us for a notice describing the types of personal customer information we have shared with third parties for those parties’ direct marketing purposes during the preceding calendar year. That notice will identify the categories of information shared with third parties, the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. If you are a California resident and would like to request a copy of this notice, please submit a written request to Penta Hotels Worldwide GmbH, Mayfarthstrasse 15 – 19, 60314 Frankfurt am Main, Germany, Attn: Data Protection Officer.
12.1 We have not designed the Services for and do not intend for them to be used by, anyone under age 16. Accordingly, the Services should not be used by anyone under age 16 without adult supervision. If you are under 16, please do not provide Personal Data of any kind whatsoever.
12.2 Should we inadvertently acquire Personal Data or other information from online visitors under the age of 16, we will not knowingly provide this data to any third party for any purpose. If a child does provide us with Personal Data over Services, a parent or guardian of that child may contact us and upon notification, we will delete from our records any information collected from children under the age of 16.
Penta Hotels Worldwide GmbH
Attn: Data Protection Officer
60314 Frankfurt am Main
Last updated: May 17, 2018