Ennismore Lifestyle Collective Privacy Policy

Last Updated:  26 July 2023

1. Ennismore’s commitment to protecting privacy

We consider you an important customer. Our first priority is to offer you exceptional stays and experiences throughout the world. Your complete satisfaction and confidence in Ennismore is absolutely essential to us. This Policy formalizes our commitments to you and describes how Ennismore  uses your personal data.

2. Scope of application

In this Policy, “Ennismore” means:

  • Ennismore Holdings Limited, a private limited company, registered with Companies House in the United Kingdom under company number 13348771, whose registered office is located at 20 Old Bailey, Third Floor, London, EC4M 7AN, England;
  • subsidiary companies of Ennismore involved in the businesses of Ennismore; and
  • establishments operated under one of the Ennismore brands throughout the world (“Establishments”). These brands can be viewed on ennismore.com.

Ennismore may process your data because it manages a booking engine, which allows Ennismore to collect the data necessary to organise your stay in Establishments and to communicate this data to the concerned Establishments.

Ennismore also manages a global database of clients who visit Establishments.

Ennismore may from time to time manage loyalty, guest recognition or membership programs (“Loyalty Programs”) and shall administer such Loyalty Programs (including managing marketing activities).

Each Establishment will process your data to manage its contractual relationship with you (invoicing, payment, booking management etc.), to perform marketing activities and to comply with its legal obligations.

Good to know!

You probably don’t know this, but the Establishment you are booked to stay in, or are visiting, is probably not owned by Ennismore. Most Ennismore  branded Establishments are operated under a franchise or management agreement between the Establishment’s owner and Ennismore.
This is why, when visiting one of these Establishments, your personal data will be dealt with by Ennismore  and the Establishment, both acting as Data Controllers and for their own separate purposes.

Ennismore  has communicated the principles set out in this Policy to all of the Ennismore  branded Establishments and their respective owners as will be identified as part of the payment arrangements with the Establishment. We will do our upmost to ensure that all Establishments comply with the applicable data protection laws and this Policy in relation to the processing of your personal data.

3. Ennismore’s Ten Principles for Protecting your Personal Data

  1. Lawfulness: We use personal data only if:
    • we obtain the consent of the person; OR
    • it is necessary to do so for the performance of a contract to which the person is a party; OR
    • it is necessary for compliance with a legal obligation; OR
    • it is necessary in order to protect the vital interests of the person; OR
    • we have a legitimate interest in using personal data and our usage does not adversely affect the persons’ rights.
  2. Fairness: We can explain why we need the personal data we collect.
  3. Purpose limitation and data minimisation: We only use personal data that we really need in relation to the purposes for which data was collected. If the result can be achieved with less personal data, then we make sure we use the minimum data required.
  4. Transparency: We inform people about the way we use their personal data.
  5. Rights: We facilitate the exercise of people’s rights: access to their personal data, rectification, right to restriction of processing, right to data portability and erasure of their personal data and the right to object to the use of their personal data.
  6. Storage limitation: We retain personal data for a limited period.
  7. Security: We ensure the security of personal data, i.e. its availability, integrity and confidentiality.
  8. Third Party: If a third party uses personal data, we make sure it has the capacity to protect that personal data.
  9. Transfers: If personal data is transferred outside Europe, we ensure this transfer is covered by specific legal tools.
  10. Breach: If personal data is compromised (lost, stolen, damaged, unavailable…), we notify such breaches to the respective country’s responsible authority in case of risk to the rights and freedoms of natural persons and to the person concerned, if the breach is likely to cause a high-risk in respect of the rights and freedoms of this person.

4. What personal data is collected?

Depending on how we interact with you, we may collect information about you and/or the persons accompanying you, including the following:

  • Contact details (for example, last name, first name, telephone number, email).
  • Personal information (for example, date of birth, nationality).
  • Information relating to your children (for example, first name, date of birth, age).
  • Your credit card number (for transaction and reservation purposes).
  • Information contained on a form of identification (such as ID card, passport or driver licence).
  • Your arrival and departure dates.
  • Your preferences and interests (for example, smoking or non-smoking room, preferred floor, type of bedding, type of newspapers/magazines, sports, cultural interests, food and beverages preferences, etc.).
  • Your questions/comments, during or following a stay in one of our Ennismore branded Establishments.
  • Technical and location data you generate as a result of using our websites and applications.
  • The information collected in relation to persons under 16 years of age is limited to their name, nationality and date of birth, which can only be supplied to us by an adult. We would be grateful if you could ensure that your children do not send us any personal data without your consent (particularly via the Internet). If such data is sent, you can contact Ennismore to arrange for this information to be deleted.
  • In order to meet your requirements or provide you with a specific service (such as dietary requirements), we may have to collect sensitive information, such as information concerning race, ethnicity, political opinions, religious and philosophical beliefs, union membership, or details of health or sexual orientation. In this case, we will only process this data if you provide your explicit prior consent or where it is necessary to protect your wellbeing.

5. When personal data is collected?

In general, we collect personal data directly from you and provision is voluntary, unless we inform you that provision is  mandatory, e.g. because it is required to book your hotel room. In these instances, if you do not provide the information we may not able to comply with  your request, e.g. the booking request.

Personal data may be collected on a variety of occasions, including:

  • Hotel activities:
    • Booking a room.
    • Checking-in and paying.
    • Hotel stays and services provided during a stay.
    • Requests, complaints and/or disputes.
  • Attending events or partaking in other services at an Establishment (eg spa or fitness services).
  • Eating/drinking at an Establishment (including) bar or restaurant.
  • Participation in marketing programs or events:
    • Signing up for Loyalty Programs.
    • Participation in customer surveys (for example, the Guest Satisfaction Survey).
    • Online games, competitions or prrize draws.
    • Subscription to newsletters, in order to receive offers and promotions via email.
  • Transmission of information from third parties – tour operators, travel agencies (online or not), GDS reservation systems and others (for example transmission of information from third parties required for processing your booking request, e.g. tour operators).
  • Internet activities:
    • Connection to Ennismore websites (IP address, cookies in accordance with the Ennismore Cookies Policy )
    • Online forms (online reservation, questionnaires, Ennismore pages on social networks, social networks login devices such as Facebook login, conversations with chatbot, etc.).

6. What purposes is your data collected for and for how long do we retain it?

The table at Annexure A sets out why we process your data, the lawful basis for the processing and the associated retention period.

7. Access and disclosure of your personal data

Ennismore operates in many countries and we endeavour to provide you with the same services throughout the world. Thus, we may share your personal data with internal and external recipients as is further specified in this clause.

In particular, the data related to your stays, preferences, satisfaction and, as applicable , your membership of any Loyalty Program may be shared between the Establishments.

Your data is used to improve the quality of service and your experience in each of these Establishments. In this context, your data is processed jointly by Ennismore and these Establishments. In order to pursue this legitimate interest, whilst safeguarding your rights and liberties, a specific joint controllership agreement describes the obligations and responsibilities of Ennismore  and these Establishments.

You may, at any time, object to the sharing of this data between the Establishments and Ennismore by writing to data@ennismore.com. You can also request a summary of the key points of the joint controllership agreement.

We share your data with a number of authorised people and departments in Ennismore in order to offer you the best experience in our Establishments. The following teams may have access to your data:

  • Establishment staff;
  • Reservation staff using Ennismore reservation tools;
  • IT departments;.
  • Marketing services;
  • Medical services if applicable;
  • Legal services if applicable; and
  • Generally, any appropriate person within Ennismore entities for certain specific categories of personal data.

We may also share your data with Accor S.A. (and its subsidiaries) to meet our obligations to customers, to manage reservations and hotel stays, for the management of Accor S.A.’s loyalty program and/or analytics purposes. In this Ennismore and Accor S.A. will both act as data controllers for their own, separate purposes.

We may share your data with service providers and partners. Your personal data may be sent to a third party for the purposes of supplying you with services and improving your stay, for example:

  • external service providers: IT sub-contractors, international call centres, banks, credit card issuers, external lawyers, dispatchers, printers;
  • commercial partners: Ennismore may, unless you specify otherwise to the Ennismore , enhance your profile by sharing certain personal information with its preferred commercial partners. In this case, a trusted third party may cross-check, analyse and combine your data. This data processing will allow Ennismore  and its privileged contractual partners to determine your interests and customer profile to allow us, subject to applicable laws, to send you personalized offers; and
  • social networking sites: Sometimes you may be identified on the Ennismore website without the need to fill out a registration form, as Ennismore  may have put in place a social network login system. In the event that this system is operational, if you log in using the social network login system, you explicitly authorize Ennismore  to access and store the public data on your social network account (e.g. Facebook, LinkedIn, Google, Instagram…), as well as other data stated during use of such social network login system. Ennismore  may also communicate your email address to social networks in order to identify whether you are already a user of the concerned social network and in order to post personalized, relevant adverts on your social network account if appropriate.

In the EEA appropriate measures include the use of the EU Commission’s Standard Contractual Clauses acc. to Art. 46(2)(c) GDPR, unless the country is subject to an EU Commission adequacy decision.

We may share your data with local authorities. We may be obliged to send your information to local authorities if this is required by law or as part of an inquiry. We will ensure that any such transfer is carried out in accordance with local regulations.

8. Protection of your personal data during international transfers

For the purposes set out in clause 6 of this Policy, we may transfer your personal data to internal or external recipients who may be in countries or regions offering different levels of personal data protection.

Consequently, in addition to implementation of this Policy, Ennismore employs appropriate measures to ensure secure transfer of your personal data to an Ennismore  entity or to an external recipient located in a country or region offering a different level of privacy from that in the country or region where the personal data was collected.

Your data may be sent, in particular as part of the reservation process, to Ennismore Establishments located outside of the United Kingdom or European Union, in particular in the following countries/regions: Saudi Arabia, Argentina, Australia, Bahrain, Brazil, Cambodia, Canada, Chile, China (including Taiwan Region, Hong Kong Special Administrative Region and Macau Special Administrative Region), Colombia, South Korea, Cuba, Egypt, United Arab Emirates, Ecuador, United States of America, Fiji, Indonesia, Israel, Japan, Jordan, Kuwait, Laos, Lebanon, Malaysia, Morocco, Mauritius, Mexico, New Zealand, Oman, Uzbekistan, Panama, Paraguay, Peru, Philippines, Qatar, Democratic Republic of Congo, Dominican Republic, Russia, Singapore, Switzerland, Thailand, Turkey, Ukraine, Uruguay, Vietnam and Yemen.
When we do this, we ensure it receives additional protection as required by law.

If you need more information on the appropriate measures applied in the individual case or want to obtain a copy/link to the mechanism used you can contact us at data@ennismore.com.

We may also share your data with Accor S.A. (and its subsidiaries) to meet our obligations to customers, to manage raw or as part of an inquiry. We will ensure that any such transfer is carried out in accordance with local regulations.

9. Data Security

Ennismore takes appropriate technical and organizational measures, in accordance with applicable legal provisions, to protect your personal data against illicit or accidental destruction, alteration or loss misuse and unauthorized access, modification or disclosure.

To this end, we have taken technical measures (such as firewalls) and organizational measures (such as a user ID/password system, means of physical protection etc.) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

In relation to the submission of credit card data when making a reservation, SSL (Secure Socket Layer) encryption technology is used to guarantee a secure transaction. Organizational measures ensure the security of the processing.

10. Cookies

Ennismore uses cookies and other tracking technologies on its websites.

To find out more about how Ennismore uses these trackers and how to configure them, please see our cookies policy

11. Your Rights

You have the right to obtain information about and access your personal data collected by Ennismore , subject to applicable legal provisions.

You have the right to have your personal data rectified, erased or have the processing of it restricted.

You have the right to data portability and to issue instructions on how your data is to be treated after your death.

You can also object to the processing of your personal data, in particular to the sharing of the data related to your stays, preferences and satisfaction between the Establishments.

In the event that you wish to exercise any of your above rights, please contact Ennismore by writing to data@ennismore.com.  All requests will receive a response as swiftly as possible.

For the purposes of confidentiality and personal data protection, we will need to check your identity in order to respond to your request. In case of reasonable doubts concerning your identity you may be asked to include a copy of an official piece of identification, such as an ID card or passport, along with your request. A black and white copy of the relevant page of your identity document is sufficient.

You may also exercise your rights in respect of your personal data that is stored and processed by an Establishment as a data controller. To do this, you must contact the Establishment directly.

If you need any assistance, please contact Ennismore by writing to data@ennismore.com.

You can contact the Ennismore data protection officer by writing to data@ennismore.com.

If you are in Australia or New Zealand and have a complaint about how we collect, hold, use or disclose your personal data, you can also contact privacy.au@accor.com.

You also have the right to lodge a complaint with a data protection authority.

12. Updates

We may modify this Policy from time to time.

Consequently, we recommend that you consult it regularly, particularly when making a reservation at one of our Establishments.

13. Questions and contacts

For any questions concerning Ennismore’s personal data protection policy, please write to data@ennismore.com.

14. Notices related to local laws and regulations

Ennismore complies with both the UK and European General Data Protection Regulations when providing our services in the UK and EU markets.

There are other laws and regulations which, depending on your specific situation, may also govern the use of your personal data. You will find below additional information that may apply to you.

14.1 U.S. State privacy rights

Depending on the U.S. state in which you reside, you may have certain privacy rights regarding your personal data. If you are a California resident, please see our “Privacy Notice for California Residents” Section below.

For other U.S. state residents, your privacy rights may include (if applicable):

  • the right to confirm whether or not we are processing your personal data and to access such personal data;
  • the right to obtain a copy of your personal data that we collected from and/or about you in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another controller without hindrance, where the processing is carried out by automated means;
  • the right to delete personal data that we collected from and/or about you, subject to certain exceptions;
  • the right to correct inaccurate personal data that we maintain about you, subject to certain exceptions;
  • the right, if applicable, to opt out of the processing of your personal data for purposes of (1) targeted advertising; (2) the “sale” of your personal data (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you;
  • if we are required by applicable law to obtain your consent to process sensitive personal data, the right to withdraw your consent; and
  • the right not to receive discriminatory treatment by us for the exercise of your privacy rights.

Depending on how the applicable privacy law defines a “sale,” we may sell personal data to third parties. For instance, if you are a resident of Colorado or Connecticut, our use of cookies and tracking technologies constitutes a sale of personal data to third-party advertisers.

We also use cookies and other tracking technologies to display advertisements about our products to you on non-affiliated websites, applications, and online services. This is “targeted advertising” under applicable privacy laws. We do not use personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning individuals.

We may share any of the categories of personal data listed in section 4 with third parties.

To exercise your rights, please submit a request to data@ennismore.com. If legally required, we will comply with your request upon verification of your identity and, to the extent applicable, the identity of the individual on whose behalf you are making such request. To do so, we will ask you to verify data points based on information we have in our records. To opt out of targeted advertising, you may alter your cookie preferences here.

If you are submitting a request on behalf of another individual, please use the same contact methods described above.

If we refuse to take action regarding your request, you may appeal our decision by emailing us at data@ennismore.com.

14.2 Private notice for California residents

This “Privacy Notice for California Residents” is part of the Ennismore Group Privacy Policy and should therefore be read in conjunction with it.

The California Consumer Privacy Act 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”) requires that we provide California residents with a privacy policy that contains a comprehensive description of our online and offline practices regarding the collection, use, disclosure, sale, sharing, and retention of personal information and of the rights of California residents regarding their personal information.

The CCPA defines “Personal Information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. In the context of this “Privacy Notice for California Residents” section, the term “Personal Information” will refer to this information.

Ennismore Group may collect the categories of Personal Information as described in section 4 of the Ennismore Group Privacy Policy.

We collect personal data from California residents, internet service providers, booking agents, employers, and data analytics providers.

If you would like more details about when your Personal Information is collected, what purposes it is collected for and how long we retain it, please see the Ennismore Group Privacy Policy – including section 5s 6 and Annexure A of the Ennismore Group Privacy Policy.

In addition to the purposes set forth in the Ennismore Group Privacy Policy, we may collect and have collected and may have “sold” (see section “DO NOT SELL OR SHARE” below) Personal Information for the following business or commercial purposes:

  • auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
  • helping to ensure security and integrity to the extent the use of the consumer’s Personal Information is reasonably necessary and proportionate for these purposes;
  • debugging to identify and repair errors that impair existing intended functionality;
  • performing services, including maintaining or servicing accounts, providing customer service, processing reservations, verifying customer information, processing payments, or providing analytic services;
  • undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance same; and
  • commercial purposes, such as by inducing another person to buy, join, subscribe to, provide, or exchange property or information, or enabling or effecting, directly or indirectly, a commercial transaction.

We may disclose your Personal Information with internal and external recipients subject to the conditions set forth in section 7 and for the business and commercial purposes discussed above. The categories of third parties to whom your Personal Information may be disclosed or “sold” (see section “DO NOT SELL OR SHARE” below) on a need-to-know basis are:

  • appropriate persons within hotels and Ennismore Group entities;
  • commercial partners; and
  • local authorities (if and as legally required).

We do not knowingly “sell” the Personal Information of minors under 16 years of age. For more information on data collected in relation to persons under 16 years of age and to arrange for this information to be deleted, see section 4 of the Ennismore Group Privacy Policy.

We do not collect or process sensitive Personal Information (as defined under California law) for the purpose of inferring characteristics about individuals and, consequently, do not use it for purposes other than allowed by the CCPA and its regulations.

We retain your Personal Information for as long as necessary to fulfil the purposes for which we collect it, such as to provide you with the service requested, and for the purpose of satisfying any legal, accounting, contractual, or reporting requirements that apply to us. Please see Annexure A for further information.

Your California Privacy Rights

As a California resident, you have the following rights with respect to your Personal Information:

  • the right to know what Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which we collected Personal Information, the business or commercial purpose for collecting, selling or sharing Personal Information (if applicable), the categories of third parties to whom we disclose Personal Information (if applicable), and the specific pieces of Personal Information we collected about you;
  • the right to delete Personal Information that we collected from you, subject to certain exceptions;
  • the right to correct inaccurate Personal Information that we maintain about you;
  • if we sell or share Personal Information, the right to opt out of the sale or sharing;
  • if we use or disclose sensitive Personal Information for purposes other than those allowed by the CCPA and its regulations, the right to limit our use or disclosure; and
  • the right not to receive discriminatory treatment by us for the exercise of privacy rights the CCPA confers.

How to Submit a Request to Know, Delete, and/or Correct

  • You may submit a request to know, delete, and/or correct by writing to data@ennismore.com.
  • When you submit your request, we will need to verify your identity pursuant to regulations adopted by the Attorney General. As part of our verification method, we will seek to verify the information in your request with the Personal Information we maintain about you. We will verify your identity either to a “reasonable degree of certainty” or a “reasonably high degree of certainty” depending on the sensitivity of the Personal Information and the risk of harm to you by unauthorized disclosure, deletion, or correction, as applicable. In addition, you may be required to submit a signed declaration under penalty of perjury stating that you are the individual whose Personal Information is being requested.
  • We will respond to your request within 45 days, unless additional time is needed, in which case we will let you know.

Authorised Agents
The CCPA allows California residents to designate an authorised agent to exercise their rights. If you submit a request via an authorised agent acting on your behalf, we will require this authorised agent to provide proof that you gave the agent permission to submit the request. Authorised agents may submit requests using the same methods provided above.

“Do Not Sell or Share My Personal Information”: Right to Opt-Out of the Sale or Share of Personal Information
Under the CCPA, the disclosure of Personal Information to a third party for monetary or other consideration of value can be considered as a “sale”, the term “sale” being broadly defined.

The CCPA defines a “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a California resident’s Personal Information to another business or a third party for monetary or other valuable consideration.

The CCPA gives California residents the right to opt out of the “sale” of their Personal Information.

In addition, the CCPA gives California residents the right to opt out of the “sharing” of third Personal Information, which is the transfer of Personal Information to a third party for cross-contextual behavioural advertising.

We offer Californian residents the opportunity to exercise these rights, should one of our business practices be considered a “sale” or “share” within the meaning of the CCPA.

You may submit a request to opt-out of the sale or share of your Personal Information by writing to data@ennismore.com. If you are using a browser setting or plugin that sends an opt-out preference signal to each website you visit, we will also treat that as a valid request to opt out (see section “Opt-Out Preference Signals” below for more information). To opt-out of our use of third-party advertising cookies, see our cookies policy

Cookies
On the Ennismore Group websites, Ennismore Group and its partners store or retrieve information on your device in order to: operate the websites and provide you with the services you request (these cannot be rejected), enhance and customize website functionalities, measure website audience and performance, profile your interests to provide you with relevant advertising and allow you to interact with social networks.

You can modify your choices at any time by clicking on the “Cookies” link at the bottom of the respective website.

Financial Incentives
We may offer you certain financial incentives that can result in a different price, rate, level, or quality of services.

Any financial incentive we offer will be reasonably related to the value of your Personal Information and your participation will be subject to any applicable terms.

For example, we may offer a Loyalty Programs. Categories of Personal Information that we may collect when you enter into any Loyalty Program would include your name and email address. We would take into consideration, without limitation, the anticipated revenue generated from such information, the anticipated expenses which we might incur in the collection, storage, and use of such information, and the anticipated expenses which we might incur related to the offer, provision, and imposition of any financial incentive or price difference.

Based on this analysis, the value of your Personal Information that allows us to make these offers and financial incentives is the value of the offer itself.

Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

Opt-Out Preference Signals
To download and use a browser supporting the GPC browser signal, click here: https://globalprivacycontrol.org/orgs. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use.

Some internet browsers incorporate a “Do Not Track” feature that signals to websites you visit that you do not want to have your online activity tracked.

Given that there is not a uniform way that browsers communicate the “Do Not Track” signal, our websites do not currently interpret, respond to or alter their practices when they receive “Do Not Track” signals.

Shine the Light Law
If you are a California resident, California Civil Code § 1798.83 permits you to request information regarding the disclosure of your personal information by us to third parties for the third parties’ direct marketing purposes (as those terms are defined in that statute).

This information is as follows: in accordance with European regulations, we will only disclose your personal information to third parties for the third parties’ direct marketing purposes with your express prior consent and a prior information on the third parties your information will be disclosed to.

14.3 Privacy notice for residents of China

14.3.1 Introduction

This Privacy Notice for China is part of this Policy and should be read in conjunction with it.

  • in the People’s Republic of China (which, for the purposes of this notice only, excludes the Hong Kong SAR, Macau SAR and Taiwan China) (“China“); and
  • outside China for the purposes of providing products and services to people in China.
  • For the above personal information processing activities, if there is any inconsistency between this Privacy Notice for China and the Ennismore Privacy Policy, this Privacy Notice for China prevails.

14.3.2 Collection, Use and Retention of Personal Information

The PIPL defines “Personal Information” as any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Processing activities include the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.

  • WHAT PERSONAL DATA IS COLLECTED?
  • WHEN IS YOUR PERSONAL DATA COLLECTED?
  • WHAT PURPOSES IS YOUR DATA COLLECTED FOR AND HOW LONG DO WE RETAIN IT?

The PIPL gives “Sensitive Personal Information” extra protection and defines it as information that, once leaked or illegally used, will easily lead to the infringement of human dignity or harm to the personal or property safety of a natural person. Ennismore will only process Sensitive Personal Information if there is a specified purpose, necessity and strict measures for its protection. Sensitive Personal Information we collect may include information such as transaction information, ID card or passport related information, location information and stay records.

The Personal Information of minors under 14 is also Sensitive Personal Information in China, which we normally only collect from parents or guardians and is limited to their name, nationality and date of birth. We would be grateful if you could ensure that your children do not send us any personal information without your consent (particularly via the Internet). If such information is sent, you can contact Ennismore to arrange for this information to be deleted.

14.3.3 Justification of Processing for China

We only process Personal Information if there is a “lawful basis”, including:

  • your consent;
  • the processing is necessary for the conclusion or performance of a contract to which you are a contracting party;
  • the processing is necessary for performing a statutory responsibility or statutory obligation;
  • the processing is necessary for responding to a public health emergency, or protecting the life, health or property of a natural person in an emergency;
  • the personal information is processed within a reasonable manner to carry out any news reporting, supervision by public opinions or any other activity for public interest purposes;
  • the personal information has already been disclosed by the individual or otherwise legally disclosed and is processed within a reasonable scope and in accordance with the PIPL; or
  • any other circumstance as provided by law or administrative regulations of China.

All our processing in China is conducted under one of the above lawful bases as described in clause 6 of this Policy except for the following activities which are conducted under the lawful bases described in the table below:

PURPOSE/ACTIVITYLAWFUL BASIS FOR PROCESSING
Use a trusted third party to cross-check, analyze and combine your collected data at the time of booking or at the time of your stay, in order to determine your interests and develop your customer profile and to allow us to send you personalized offers.Consent
Securing and enhancing your use of Ennismore  websites, applications and services by:

– Improving navigation;

– Maintenance and support; and

– Implementing security and fraud prevention.		The conclusion or performance of a contract to which you are a contracting party.
Internal management of lists of customers having behaved inappropriately during their stay at the Establishment (aggressive and anti-social behaviour, non-compliance with safety regulations, theft, damage and vandalism or payment incidents).The conclusion or performance of a contract to which you are a contracting party.
– Securing payments by determining the associated level of fraud risk. As part of this analysis, Ennismore and Establishments may use the Ennismore risk prevention service provider to refine their analysis.

– Depending on the results of the investigations carried out, Ennismore may take security measures, in particular Ennismore may request the use of a different booking channel or for the use of an alternative payment method. These measures will have the effect of suspending the execution of the booking or, if the result of the analysis does not guarantee the safety of the order, of cancelling it.

– Fraudulent use of a means of payment leading to payment default may result in the entry of data in the Ennismore incident file, which may lead Ennismore to block future payments or carry out additional checks.		The conclusion or performance of a contract to which you are a contracting party.
Securing properties and persons and preventing non-payments.

For these reasons, some Establishments have a feature that allow them to include in the category of “ineffective” customers, any customer whose behaviour has been inappropriate in the following ways: aggression and rudeness, non-compliance with the Establishment contract, failure to observe safety rules, theft, damage and vandalism, or payment issues. The status of “ineffective” may cause the Establishment where this listing originated to refuse a customer’s reservation when he/she returns to the same Establishment.		The conclusion or performance of a contract to which you are a contracting party.
Using services to search for persons staying in Ennismore Establishments in the event of serious events affecting the Establishment in question (natural disasters, terrorist attacks, etc.).Responding to a public health emergency, or for protecting the life, health or property safety of a natural person in the case of an emergency.

14.3.4 Conditions of Third-Party Access to Your Personal Information

Entrusted Personal Information Processing

In order to provide certain services to you, we may need to entrust a service provider to process some of your personal information. We will enter into strict confidentiality agreements and personal information protection clauses with such entrusted parties, requiring them to process and protect your personal information in accordance with our requirements, this Privacy Notice and any other relevant confidentiality and security requirements.

Providing Personal Information to Third-Party Service Providers

In order to give you a better service experience, we provide you with access to a variety of products or services provided by third party service providers. When you use these services, we may, with your explicit authorization or consent, provide or share your personal information for the purposes described of this Policy among members of Ennismore or third party service providers, including:

  • any entity in Ennismore;
  • franchised and managed Establishments;
  • master franchisees;
  • spa, restaurant, health club, concierge and other outlets at properties to provide you with services;
  • partners of our Loyalty Programs;
  • travel agencies and distributions systems operators;
  • payment services providers;
  • travel insurance partners; and
  • advertising network and analytics providers for Ennismore  websites and mobile applications.

Third-Party SDKs We Use

Our website may have integrated third-party software development kits (SDKs) to ensure their stable operation and to provide relevant services to you.

If you want to know more information about the third-party SDKs we use, please see the following SDK list:

#NAME OF THE SDKSDK SERVICE PROVIDERPURPOSES OF PROCESSING PERSONAL INFORMATIONPERSONAL INFORMATION COLLECTED VIA SDKSDK SERVICE PROVIDER’S PRIVACY POLICY
1Google AnalyticsGoogle, Inc.User tracking and engagement.No personal information, only anonymous datahttps://developers.google.com/analytics/devguides/collection/protocol/policy

2Google Tag ManagerGoogle, Inc.Managing tracking plan in the appNo personal information, only anonymous datahttps://marketingplatform.google.com/about/analytics/tag-manager/use-policy/#:~:text=If%20You%20have%203rd%20Party,responsible%20for%203rd%20Party%20Tags.&text=to%20upload%20any%20data%20to,such%20information%20by%20Google%2C%20or
3OneTrustOne Trust, LLC.User consent management platform.Cookie consent for one device / no user datahttps://www.onetrust.com/privacy-notice/
4FacebookMeta, Inc.User tracking, such as Firebase, for Facebook purposesPMID (user identifier)https://www.facebook.com/policy.php

14.3.5   Protection of Your Personal Data During International Transfers

Your data may be sent, in particular as part of the reservation process, to any Ennismore Establishments located in the following countries or regions: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, Norway, South Africa, Algeria, Andorra, Angola, Saudi Arabia, Argentina, Australia, Bahrain, Benin, Brazil, Cambodia, Cameroon, Canada, Chile, Colombia, South Korea, Ivory Coast, Cuba, Egypt, United Arab Emirates, Ecuador, United States of America, Fiji, Ghana, Guatemala, Equatorial Guinea, Hong Kong SAR, India, Indonesia, Israel, Japan, Jordan, Kuwait, Laos, Lebanon, Macao SAR, Madagascar, Malaysia, Morocco, Mauritius, Mexico, Monaco, Myanmar, Nigeria, New Zealand, Oman, Uzbekistan, Panama, Paraguay, Peru, Philippines, Qatar, Democratic Republic of Congo, Dominican Republic, Russia, Senegal, Singapore, Switzerland, Chad, Thailand, Togo, Tunisia, Turkmenistan, Turkey, Ukraine, United Kingdom Uruguay, Vietnam, Yemen, Taiwan China.

We will work with these personal information recipients located outside China through agreements and other means that require them to take necessary personal information security measures and clarify their personal information protection responsibilities to ensure that your personal information receives adequate and uniform protection in China and countries or regions outside China.

14.3.6   Data Security

We take appropriate technical and organizational measures, in accordance with applicable legal provisions, to protect your personal information against unlawful or accidental destruction, alteration, loss, misuse, access, modification or disclosure. For more information, please read clause 9 of this Policy.

14.3.7   Your Rights

In addition to your rights under clause 11 of this Policy, unless otherwise provided by law or administrative regulations of China, you also have the following rights:

  • the right to be informed about and the right to decide on the processing of your personal information, as well as the right to restrict or deny us from processing of your personal information;
  • the right to access or make copies of your personal information from us;
  • the right to have your personal information transferred to another entity that you designate, provided that the conditions prescribed by the national cybersecurity authority are met;
  • the right to ask us to correct or complete your personal information;
  • the right to withdraw your consent if our processing activities are based on your consent;
  • the right to ask us to explain the rules of processing your personal information; and
  • the right to ask us to explain decisions we make through automated decision-making, if the decision has a material impact on your rights and interests, as well as the right to refuse the making of decisions by us solely by means of automated decision-making.

As introduced in clause 11 of this Policy you may contact data@ennismore.com or the Establishment directly in the event that you wish to exercise any of your rights.

In addition, if you use our App you can also correct, complete or delete some of your personal information by clicking on the “Account” button, then clicking on “Advanced settings” and then on “Request the deletion of your account”.

We will deal with your requests to exercise your rights under applicable Chinese laws or administrative regulations promptly and within 15 working days.

14.3.9   Questions and Contacts

  • In the event that you have any questions about your personal information or wish to exercise any of your rights, please contact Ennismore directly by sending an email to data@ennismore.com.
  • Alternatively, if you wish to contact our team in China, please contact:
    Email: DataPrivacy.Team@accor.com
    Address: AAPC (Shanghai) Co., Ltd,
    12F, Tower C, The PLACE, No.150 Zun Yi Road, Shanghai 200051, P R. China

Annexure A

What purposes is your data collected for and how long do we retain it?

The table set out in why we process your data, the lawful basis for the processing and the associated retention period.

PURPOSE/ACTIVITYLAWFUL BASIS FOR PROCESSING INCLUDING BASIS OF LEGITIMATE INTERESTRETENTION PERIOD
Meeting our obligations to our customers.

Managing the reservation of rooms and accomodation requests, in particular the creation and storage of legal documents in compliance with accounting standards.		Performance of a contract with you. Necessary to comply with a legal obligation.

Necessary for our legitimate interest in running our business and providing you with requested products and services.		10 years from the booking in accordance with legal obligations.
Managing your stay at the Establishment:

– Managing access to rooms.

– Monitoring your use of services (telephone, bar, pay TV etc.).		– Performance of a contract with you.

– Necessary for our legitimate interest in running our business and providing you with requested products and services.		For the duration of your stay.
Managing our relationship with customers before, during and after your stay:

– Managing any Loyalty Program.

– Inputting details into the customer database.

– Segmentation analysis based on reservation history and customer travel preferences with a view to sending targeted communications, subject to the requirements of applicable law.

– Predicting and anticipating future customer behaviours.

– Developing statistics, commercial scores and carrying out reporting of the same.

– Providing context data for our marketing tools. This happens when a customer visits an Ennismore  website or makes a reservation.

– Understanding and managing the preferences of new or repeat customers.

– Sending customers newsletters, promotions, tourist, hotel or service offers, offers from Ennismore or its commercial partners, or contacting you by telephone subject to the requirements of applicable law		– Performance of our contract with you and for the management of your membership in any Loyalty Program.

– Necessary for our legitimate interests in promoting our services, performing direct marketing activities (taking into account your commercial relationship with one of Ennismore’s entities) and improving our services.		– 3 years from the last date on which you have interacted with us in any way, if you are not a member of any Loyalty Program.

– 6 years from the last date on which you have interacted with us in any way, if you are a member of any Loyalty Program.
Improving our service by:

– Personalising your check-in, improving the quality of service and customer experience.

– Processing your personal data through our customer marketing program in order to carry out marketing operations, promote brands and gain a better understanding of your requirements and wishes.

– Adapting our products and services to better meet your requirements

– Customising the commercial offers and promotional messages we send you.

– Informing you of special offers and any new services created by Ennismore  or one of its subsidiaries or commercial partners.		Performance of contract with you in relation to the management of your membership in any Loyalty Program.

Necessary for our legitimate interests in promoting our services, performing direct marketing activities (taking into account your commercial relationship with Ennismore) and improving our services.		– 3 years from the last date on which you have interacted with us in any way, if you are not a member of any Loyalty Program.

– 6 years from the last date on which you have interacted with us in any way, if you are a member of any Loyalty Program.
Use a trusted third party to cross-check, analyse and combine your collected data at the time of booking or at the time of your stay, in order to determine your interests and develop your customer profile and to allow us to send you personalized offers.Necessary for our legitimate interests in promoting our services, performing direct marketing activities (taking into account your commercial relationship with one of Ennismore’s entities) and improving our services.– 3 years from the last date on which you have interacted with us in any way, if you are not a member of any Loyalty Program.

– 6 years from the last date on which you have interacted with us in any way, if you are a member of any Loyalty Program.
Securing and enhancing your use of Ennismore  websites, applications and services by:

– Improving navigation.

– Maintenance and support.

– Implementing security and fraud prevention.		Necessary for our legitimate interests in running our business, provision of administration and IT services and network security to prevent fraud.13 months from the collection of the information.
Internal management of lists of customers having behaved inappropriately during their stay at the Establishment (aggressive and anti-social behaviour, non-compliance with safety regulations, theft, damage and vandalism or payment incidents).Necessary for our legitimate interests in running our business and to prevent fraud and the abuse of our property and staff.Up to 122 days from the recording of an event.
Securing payments by determining the associated level of fraud risk. As part of this analysis, Ennismore and Establishments may use the Ennismore  risk prevention service provider to refine their analysis.

Depending on the results of the investigations carried out, Ennismore  may take security measures, in particular Ennismore  may request the use of a different booking channel or for the use of an alternative payment method.		Necessary for our legitimate interests in running our business and to prevent fraud.
– 90 days to our database to allow for analysis and controls and then 2 years in a separated database used for improving the system.

– In case of recording in the incident file, 2 years from recording or until regularization of the situation if earlier.
Securing properties and persons and preventing non-payments.

For these reasons, some Establishments have a feature that allow them to include in the category of “ineffective” customers, any customer whose behaviour has been inappropriate in the following ways: aggression and rudeness, non-compliance with the Establishment contract, failure to observe safety rules, theft, damage and vandalism, or payment issues.		Necessary for our legitimate interests in running our business, securing properties and persons and preventing non-payments.122 days from registration.
Using services to search for persons staying in Ennismore  Establishments in the event of serious events affecting the Establishment in question (natural disasters, terrorist attacks, etc.).Protection of the vital interests of the guests.For the duration of the event.
Conforming to any applicable legislation (for example, storing of accounting documents), including:

– Managing requests to unsubscribe from newsletters, promotions, tourist offers and satisfaction surveys.

– Managing data subject’s requests regarding their personal data.		Necessary to comply with a legal obligation.As stipulated in the respective country’s legislation.