Last Updated: June – 8th, 2023
Kempinski Hotels S.A. (Address: 10 Rue Henriette et Jeanne-Rath 1204 Genève, Switzerland) and Key International Hotels Management Co Ltd. (Address: 12/F, NUO Center Office, No.2A Jiangtai Road Chaoyang District, Beijing, China) (hereafter collectively referred to as “Kempinski” or “We”) are committed to being responsible for processing your personal information.
This Policy contains the following sections:
- Application and definition
- How we collect and use your personal information
- How we share your personal information
- Legal bases for processing your personal information
- How we store your personal information
- How we protect your personal information
- Your rights
- How we protect children
- Links to other sites and services
- Contact us
1. Application and definition
This Policy governs and describes Kempinski’s practices (as a personal information processor under China’s data and privacy law) in connection with personal information that we collect and process through different channels available for guests in mainland China as mentioned in Section 2 below.
Definitions of “personal information”, “sensitive personal information”, and “processing” in this Policy are set out as follows and are consistent with the definitions in the relevant laws.
- Personal information: refers to various types of information recorded in electronic or other ways that is related to an identified or identifiable natural person, including but not limited to name, address, mobile phone number, and ID number, etc. but excluding anonymized information.
- Personal information processor: refers to an organization or individual that independently decides on the processing purposes and processing methods during personal information processing activities.
- Sensitive personal information: refers to personal information that, if leaked or used illegally, may easily lead to an infringement upon the human dignity of a natural person or endangerment of the safety of his/her body or property, including information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen. Sensitive personal information is in bold, italic and underlined to draw your attention.
- Processing: includes personal information collection, storage, use, processing, transmission, provision, disclosure and deletion, etc.
2. How we collect and use your personal information
We will only collect and process your personal information for the following purposes described in this Policy in accordance with the principles of lawfulness, legitimacy, necessity and good faith and in compliance with applicable laws and regulations.
- When you use our official WeChat official account, for the purpose of providing you with incentive and sending you gifts, we may collect and use your name, phone number and address.
- When you use our official WeChat Mini Programs, for the purposes of providing your hotel booking services, we may collect and use your name, phone number and room reservation information.
- When you contact or follow our Weibo official account, for the purpose of online marketing campaigns including but not limited to prize draws, we will collect and use your name, contact details and mailing address.
- When you fill out offline registration forms of temporary residence at our hotels, for the purpose of providing on-site booking services to you, we may collect and use your name, date of birth, certificate (such as passport or ID card) number, visa type, visa expiration, gender, nationality, email address, phone number, membership number (if any), company name, job title, private address or business address, payment method and other on-site booking required information.
- When you make a booking through our hotel website, for the purpose of providing online booking services to you, we need to collect and use your name, phone number, email address, payment method, room reservation information and other online booking required information.
3. How we share your personal information
In order to achieve the purposes above, we may entrust third-party service providers to assist us in providing relevant operation and service support. For companies, organizations and individuals who we entrust to process your personal information, we ask them to handle your personal information in accordance with our instructions, this Policy and applicable laws.
For the purposes stated in this Policy, we may transfer your personal information to our affiliates and third-party companies located outside of China. The foreign recipients and details of the transfer are as follows:
|Recipients||Contact information||Categories of personal information being shared||Purpose and means of the recipient’s processing|
Where personal information is transferred to another jurisdiction outside mainland China, your personal information will be secured by appropriate safeguards as set forth under applicable law, including without limitation, where applicable by the use of the standard contractual clauses published by the supervisory authority for the transfer of Information between mainland China and other jurisdictions. To the extent required under applicable law, we will obtain separate consent from you before the transfer of your personal information.
4. Legal bases for processing your personal information
In most circumstances, we rely upon your consent to process your personal information. While under the relevant laws, we do not require your consent to process (including but not limited to, the collection, storage, use, processing, transmission, provision, disclosure, and deletion) your personal information when:
- the processing is necessary for the conclusion or performance of a contract to which you are a contracting party;
- the processing is necessary to fulfill statutory functions or statutory obligations;
- the processing is necessary to respond to public health emergencies or protect the life, health or property safety of natural persons under emergency circumstances;
- personal information is processed within a reasonable scope to conduct news reporting, public opinion-based supervision, or other activities in the public interest;
- the personal information that has been disclosed by the individuals themselves or other personal information that has been legally disclosed is processed within a reasonable scope in accordance with this Law; or
- under any other circumstance as provided by any law or administrative regulation.
5. How we store your personal information
We only retain your personal information within the minimum period which is necessary for the fulfillment of the purposes stated in this Policy. Meanwhile, we will also store your personal information with adherence to the mandatory provisions about the retention period rising from applicable laws and regulations.
6. How we protect your personal information
We strive to maintain the appropriate standards of security and we have put in place robust technical and organisational measures for the protection of your personal information in accordance with the current state of the art technologies, especially to protect the data against loss, falsification or access by unauthorised third persons. However, the transmission of information via the internet is not completely secure. So, whilst we will do our best to protect your personal information, we cannot guarantee the security of your data transmitted to our servers. Once we have received your personal information we will use strict procedures and security features to prevent unauthorised access. Our internal processing takes place inside a VPN which is firewalled against the open internet and inside of which any kind of communication is processed in an encrypted way. As far as third parties (i.e. external companies) are rendering data processing services for us, we have committed them to the compliance with our data privacy regulations. The external service providers are supervised by our Global Data Protection Manager in terms of compliance with these regulations.
Where a personal information security incident occurs, we will inform you as required by the laws and regulations via mail, letter, telephone, pushed notification or other available means. Where it is difficult to inform the subjects of the personal information one by one, we may publish an announcement on our Services. Where required by law, we will also report the treatment result of the personal information security incident.
7. Your rights
According to applicable law, you may have the following rights regarding your personal information:
- the right to know and the right to decide on the processing of your personal information;
- the right to restrict or refuse the processing of your personal information by others;
- the right to consult and duplicate your personal information;
- the right to request personal information processors to correct or supplement your personal information where you discover the information is incorrect or incomplete;
- the right to withdraw your consent to the processing of personal information based on your consent (but please note that your withdrawal of consent does not affect the validity of the processing of personal information that has been carried out based on your consent before the withdrawal);
- the right to request the transfer of personal information to your designated personal information processors;
- the right to delete your personal information under specific circumstances.
If you want to exercise your rights above, please contact us via the contact information provided in this Policy. To protect the security of your personal information, we need to verify your identity in order to respond to your rights request(s), and we may not be able to respond to the request(s) for rights related to personal information that are not from you or authorized by you (for example, requests to consult personal information of someone else).
Additionally, the rights above are subject to limitations and exceptions under applicable law. We will respond to and comply with your request(s) consistent with applicable within 15 working days. If you have unresolved concerns, you also have the right to complain to relevant supervisory authorities or where applicable, file a lawsuit with the court in accordance with applicable law.
8. How we protect children
We do not knowingly collect personal information from children under the age of 14 without parental/guardian consent. If you are the parent or guardian of your child and believe that we have personal information of your child without parental/guardian consent, or if you wish to withdraw such consent, please contact us via the contact information provided in this Policy and we will delete such information.
9. Links to other sites and services
Our services may contain links to third-party websites, applications and other services. Please be aware that we are not responsible for the privacy practices of such other sites and services. We encourage you to be aware when you leave our services and to read the privacy statements of each and every site you visit that collects your information.
This Policy may be updated periodically. We will update the date at the top of its first page accordingly and encourage you to check for changes that we have made. On some occasions, we may also actively advise you of specific data handling activities or significant changes to this Policy, as required by applicable law.
11. Contact us
If you have questions about this Policy or wish to contact us for any reason in relation to our personal information processing, please contact our Global Data Protection Manager at firstname.lastname@example.org.