FIVE is committed to ensuring fair and secure Processing of any information relating to its employees, external/third-party personnel, including Customers, consultants, interns, and contractors in accordance with the data privacy laws in the countries it operates, industry-leading practices, and recognized international standards on privacy and the protection of personal information.
- To ensure that all the confidential information in FIVE custody is adequately protected against threats to maintain its security.
- To ensure that FIVE employees are fully aware of the contractual, statutory, or regulatory implications of any privacy breaches.
- To limit the use of Personal Information (refer appendix) by business functions
- To create awareness of privacy requirements for all employees to understand the importance of privacy practices and their responsibilities for maintaining privacy.
- To make all the employees aware of, the processes that need to be followed for collection, lawful usage, disclosure/ transfer, data retention, archival, and disposal of personal information.
- To ensure that all third parties collecting, storing, and Processing Personal Information on behalf of FIVE provide adequate data protection.
- To ensure that applicable regulations and contracts regarding the maintenance of privacy, protection, and cross-border transfer of personal Information are adhered to.
The policy is applicable to all guests, employees, external/third party personnel including consultants, interns, and contractors at FIVE as well as the former employees. FIVE operates the domain www.fivehotelsandresorts.com and www.fiveglobalholdings.com for hosting its website and booking platform.
The purpose of this policy is to articulate FIVE’s position on privacy and protection of personal identifiable information (PII) and sensitive Personal Information (SPI) (Refer APPENDIX) collected during the course of its business operations, and therefore to:
- Provide management direction and support for privacy and protection of personal information;
- Set the requirements and expectations for data privacy,
- Set out the roles and responsibilities that all stakeholders: employees, external/third party personnel including consultants, interns, and contractors have towards privacy and protection of personal information;
- Ensure Privacy by Design (refer definitions) for all new and existing business activities, projects, programs, businesses, processes, technologies, products, or research; and
- Guide the implementation of appropriate policies, standards, processes, procedures, and controls that are necessary to uphold the confidentiality, integrity and availability of all Personal Information resources within FIVE
- FIVE has appointed a Data Protection Officer (DPO, as the person with responsibility for data protection compliance. If you have any questions regarding data protection or wish to exercise your rights, please contact our data protection contact person by sending an email to – email@example.com or you may also raise any concerns or requests at the following address –
Dubai – FIVE Hotel FZE, – PO Box 6438. FIVE Palm Jumeirah Dubai. No. 1, Palm Jumeirah. Dubai, United Arab Emirates.
- KEY PRIVACY PRINCIPLES
5.1 LAWFULNESS, FAIRNESS AND TRANSPARENCY:
Personal Information shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness, transparency’). FIVE must ensure their practices around data collection don’t compromise the law and that their use of data is transparent to Data Subjects (refer to definitions).
5.2 PURPOSE LIMITATIONS:
Personal information should only be collected for specific, clear, and legal reasons, and it shouldn’t be used in a way that goes against those reasons.
5.3 DATA MINIMISATION:
Personal information must be accurate, useful, and limited to what is needed for the purpose it is being used for. Five can’t gather personal information just in case it could be useful in the future. If they keep and collect more information than they need, they may not be following this data privacy principle.
5.4 ACCURACY OF DATA COLLECTED:
When personal information is collected, it must be correct and, if necessary, kept up to date. Every reasonable step must be taken to make sure that personal information that is wrong, given the purpose for which it is being processed, is erased or fixed as soon as possible.
5.5 STORAGE LIMITATION:
Personal information should not be kept for longer than is needed for the purposes for which it is used. Personal information can be kept for longer as long as it is only used for public interest, scientific or historical research, or statistical purposes (refer appendix).
5.6 INTEGRITY AND CONFIDENTIALITY:
Personal information must be handled in a way that protects it from unauthorized or illegal processing and accidental loss, destruction, or damage. This can be done with the help of appropriate technical or organizational measures. FIVE needs to make sure that all the right steps are taken to keep personal information safe. This could include protecting against accidental damage or loss, unauthorized use, and threats from the outside.
6 LAWFULNESS OF PROCESSING
Personal Information shall be processed in accordance with one of the following lawful grounds:
- FIVE must seek individual consent for the collection, use, store, sharing and maintenance of personal information (as per Point 7) and provide a mechanism for appropriate access, correction of personal information which FIVE uses; the Data Subject has given consent to the Processing of his or her Personal Information for one or more specific purposes;
- Only collect personal information that is directly relevant and necessary to accomplish the specified purpose(s) and only to retain personal information as long as is necessary to fulfil the specified purposes(s);
- To ensure that the reasons for processing are clear and open, and in line with the reasonable expectations of the individuals concerned;
- Protect Personal Information (in all forms) through appropriate security safeguards against risk such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure;
- Ensure that personnel handling Personal Information is accountable for adhering to these principles;
- Be able to demonstrate compliance with these principles and all applicable privacy regulations.
Consent shall be obtained from Data Subjects, if it is used as a ground for Processing personal information, at the time of collection of Personal Information or at the earliest. Types of data consent are as follows:
- Explicit consent shall be obtained from Data Subjects for the collection, use, and disclosure of sensitive Personal Information (refer appendix) [For Switzerland – including high-risk profiling and profiling by a federal body], unless a law or regulation specifically requires or allows otherwise. A record should be maintained of explicit consent obtained from Data Subjects.
- Implicit consent shall be considered adequate for the collection, use, and disclosure of Personal Information which does not qualify as sensitive personal information
Consent will be obtained from Data Subjects before their Personal Information is used for purposes other than previously identified.
Appropriate consent will be obtained from Data Subjects before their Personal Information is transferred to or from FIVE’s systems. The consent which is obtained by FIVE should be saved and retained. FIVE must be able to demonstrate that the appropriate methods and procedures are in place to manage the records of the consent, withdrawal of consent and the periodic evaluation of the records of consent should be conducted.
- A privacy notice needs to be provided while collecting Personal Information which lists the details as below:
- Purposes for which Personal Information is collected, used, and disclosed.
- Period for which Personal Information shall be retained as per identified business.
- That Personal Information shall only be collected for the identified purposes.
- Methods employed for the collection of personal information, including ‘cookies’ and other tracking techniques, and third-party agencies.
- That an individual’s Personal Information shall be disclosed to Third Parties only for identified lawful business purposes and with the consent of the individual, wherever possible.
- That an individual’s Personal Information may be transferred within FIVE entities, globally as per requirement, for business purposes with adequate security measures required by law or as per the guidance provided by industry-leading practices.
- Process for an individual to exercise their Data Subject Rights.
- Process for an individual to register a complaint or grievance about privacy practices at FIVE.
- Contact information of person in charge of privacy\ practices and responsible for privacy concerns with address at FIVE.
- That implicit or explicit consent is required to collect, use and disclose personal information unless a law or regulation specifically requires or allows otherwise
- Process for an individual to withdraw consent for the collection, use, and disclosure of their Personal Information for identified purposes.
9 DATA SUBJECT RIGHTS
FIVE is required to make available the means and procedures for data subjects to exercise the following rights:
9.1 RIGHT TO ACCESS INFORMATION
The Data Subject will have the right to request FIVE and obtain the following information:
- The categories of Personal Information processed
- The purpose of the Processing
- Who else (if anyone) the data will be transferred to
- The period for which the data will be stored
9.1.2 Limitations to the right to information
FIVE may refuse to provide information, or restrict or delay the provision of information if:
- formal law so provides, in particular in order to preserve professional secrecy;
- this is required to safeguard overriding third-party interests; or
- the request for information is obviously unjustified, in particular if does not serve the purpose of data protection or is clearly frivolous
Furthermore, it is possible to refuse, restrict or delay the provision of information in the following cases:
- FIVE’s own overriding interests require the measure
- FIVE does not intend to disclose the personal data to third parties (does not include legal entities that belong to the same group of companies)
FIVE shall indicate why it is refusing, restricting or delaying the provision of the information.
9.2 RIGHT TO REQUEST PERSONAL INFORMATION PORTABILITY
The Data Subject will have the right to receive his/her Personal Information in a structured and machine-readable format where the:
- Processing of Personal Information is subject to the Data Subject’s consent or Processing of personal information in direct connection with the conclusion or the performance of a contract between FIVE and the data subject and;
- FIVE is carrying out automated processing of the data
The data subject may also request the controller to transfer their personal data to another controller if the above requirements are met and no disproportionate effort is required.
FIVE may refuse, restrict or delay the delivery or transfer of personal data for the reasons in 9.1.2 and provide reasons to refuse, restrict or delay the delivery or transfer.
9.3 RIGHT TO RECTIFICATION OF PERSONAL INFORMATION
The Data Subject shall have the right to have inaccurate Personal Information rectified. Depending on the reason for processing, a data subject may also be able to have incomplete personal information completed.
9.4 RIGHT TO ERASURE OF PERSONAL INFORMATION
A data subject has the right to request to erase some or all of the Personal Information FIVE holds about them. but only if one of the following applies:
- The data is no longer needed for the purposes for which it was received or processed;
- The processing was based on consent, and the data subject withdraws that consent;
- The data subject successfully exercises the right to object;
- The data has been unlawfully processed;
- EU or national law requires that the data be erased;
9.5 RIGHT TO RESTRICTION OF PROCESSING:
Data Subject will have the right to require the FIVE to restrict and stop his/her Personal Information from being used in any way. The Data Subject can exercise this right in the following circumstances:
- Where the Data Subject contests the accuracy of personal information
- Where the Data Subject objects to the Processing of his/her Personal Information contrary to agreed purposes;
- Where the Processing is performed in contravention of a provision of the applicable data privacy law.
9.6 RIGHT TO STOP PROCESSING
The Data Subjects will also have the right to require the FIVE to stop the Processing of his/her Personal Information in the following circumstances:
- Where Personal Information is processed for direct marketing purposes;
- Where the Processing is for statistical survey purposes unless the Processing is essential for the reasons of public interest;
- Where the Processing is not in accordance with the Personal Information Protection Principles
- The data subject shall have the right to object at any time to processing of personal data concerning him or her – the FIVE shall no longer process the personal data unless the FIVE demonstrates compelling legitimate grounds.
9.7 AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING
Data Subject shall have the right to object to any decision based solely on automated processing including profiling, which produces legal consequences concerning him or other seriously impactful consequences and to require such decision to be reviewed manually.
9.8 OTHER RIGHTS
The Data Subjects have a number of other rights in relation to their personal data. They can require FIVE to:
- Rectify inaccurate data;
- Stop processing or erase data that is unnecessary for the processing;
- Stop processing or erase data if the individual’s interest override FIVE’s legitimate grounds for processing data;
- Stop processing or erase data if processing is unlawful;
- Stop processing data for a period if data is inaccurate.
Cookies are information files that the web browser stores on the hard drive or in the memory of your computer when you visit our website. Cookies are assigned identification numbers that enable your browser to be identified, and allow the information contained in the cookie to be read.
Cookies in so far as they are used to identify users, qualify as Personal Information and are therefore subject to the Data Privacy law.
- To comply with the regulations governing cookies under the data privacy law FIVE must:
- Receive Data Subject consent before FIVE use any cookies except strictly necessary cookies
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from Data Subjects
- Allow Data Subjects to Access FIVE services even if they refuse to allow the use of certain cookies
- It should be easy for Data Subjects to withdraw their consent as it was for them to give their consent in the first place.
11 RECORD OF PROCESSING ACTIVITIES
- FIVE is required to keep records concerning the Personal Information they process. It must include the following but not be limited to:
- Details of the FIVE SPOCs and DPO;
- A description of the categories of Personal Information it processes;
- The purpose(s) of the Processing
- Information in relation to the persons authorized to access the personal information
- Retention period and limits of the Processing
- The method of erasing or rectifying the information
- Any information related to cross border data transfers; and
- Any information related to the technical and organizational measures used to secure Personal Information.
FIVE needs to ensure that this shall be regularly updated and reviewed by respective department SPOCs.
12 DATA PROTECTION IMPACT ASSESSMENT
- A DPO, shall be responsible for overseeing data protection impact assessments for proposed processing operations to assess their impact on the protection of Personal information, considering the risks to the rights of the Data Subjects concerned
- The assessment shall contain at least:
- A systematic description of the foreseen Processing operations and the purpose(s) of the
- Processing, including, where applicable, the legitimate interest pursued by FIVE;
- An assessment of the necessity and proportionality of the Processing operations in relation to the purpose(s);
13 COLLECTION AND USE OF PERSONAL INFORMATION
13.1 COLLECTION OF PERSONAL INFORMATION
- The collection of Personal Information shall be limited to the minimum requirement for lawful business purposes as identified by FIVE.
- Methods of collecting Personal Information shall be reviewed by FIVE management to ensure that Personal Information is obtained:
- Fairly, without intimidation or deception, and
- Lawfully, adhering to laws and regulations relating to the collection of personal information.
- Management shall confirm that Third Parties from whom Personal Information is collected:
- Use fair and lawful information collection methods, and
Data Subjects shall be notified if any additional information is obtained from them.
13.2 USE OF INFORMATION
Any of the information collected by FIVE may be used in one of the following ways:
- To develop, customize and improve the services
- Marketing purposes to inform other information, events, promotions, products or services
- To process Personal Information necessary for the performance of a contract and providing the services
- To process Personal Information necessary for compliance with a legal obligation
- Improve quality and facilitate use of the other applications which are transferring the data from one country to another
- Obtain third party services for facilitating lawful business purposes of FIVE
13.3 QUALITY OF PERSONAL INFORMATION
FIVE shall ensure completeness and accuracy of the Personal Information collected at the time of collection and that the Personal Information shall be kept up to date and validated on an ongoing basis
13.4 Data Processing when contacting FIVE
If the guest/ employee/ any data subject contacts FIVE through our contact addresses and channels (e.g., by e-mail, phone, or contact form), your personal data is processed. We process the data you provide us with, such as your name, email address, phone number, and your request. Additionally, the time of receipt of the request will be documented.
13.5 Data Processing when using our Chat Function
If the guest/ employee/ any data subject contact FIVE through chat for reservations/ special requests/ complaints/ concerns, their personal data will be processed. FIVE processes the data provided, such as the name of the company, name, role, email address and request. Additionally, the time of receipt of the request will be documented. This data is processed to exclusively address the request (e.g., providing information about the Hotel, assisting with contract processing such as questions about the booking, incorporating feedback to improve services, etc.)
13.6 Data Processing for Guest Profile
For creation of guest profile/ new booking/ account creation (for group bookings/ events), the following data is collected:
- Personal information:
- First name
- Billing and, if applicable, delivery address
- Email address
- Contact number information
- Date of birth
- Company name, company address and UID for corporate customers
- Identity proof issued by the Government
- Information related to preferences/ allergens, etc.
- Social media IDs
This personal data may be utilized to verify the identity and to check the requirements for registration. Email address is collected for future communication with the guest, which is necessary for the execution of the contract. Additionally, this data may be stored in the system/ shared drives for future reference. The data is additionally utilized to offer a comprehensive view of the individual’s bookings and associated services. It aids in streamlining the handling of personal information and managing contractual commitments. This encompasses tasks such as establishing, defining content, processing, and making modifications to agreements formed with the individual through their customer account, particularly in connection to their reservations.
The processing of language and gender details serves the purpose of tailoring personalized offers, leveraging insights from the individual’s profile and specific requirements. These details are subjected to statistical scrutiny and assessment of chosen proposals, contributing to the optimization of recommendations and offerings.
13.7 Data Processing during website bookings
On the FIVE websites, individuals are provided with the option to reserve an overnight accommodation. For this purpose, FIVE collects the following data, whereby mandatory fields during the booking process are marked with an asterisk (*):
- First name*
- Last name*
- Email address*
- Contact number
- Payment method*
- Credit card information*
- Confirmation about notification of special offers
- Confirmation on usage of the same email address as contact information for payment confirmation
The data collected serves the purpose of establishing the individual’s identity prior to entering into a contractual agreement. The email address is required for booking confirmation and future communication essential for contract fulfillment. FIVE retains this data alongside pertinent booking particulars (such as room category, duration of stay, as well as description, price, and attributes of services), payment details (including chosen payment method, payment verification, and timing), and information concerning contract execution and performance (covering issues like complaints handling) to ensure accurate processing of reservations and proper contract execution.
As needed for contract fulfillment, there is the possibility of disclosing necessary information to relevant third-party service providers (such as organizers or transportation companies).
The submission of non-mandatory data is at the discretion of the individual. This data is subjected to processing with the aim of customizing FIVE’s offerings according to the individual’s specific requirements. Additionally, it aids in simplifying contract execution, enabling alternate communication methods if essential for contract fulfillment, and contributing to the accumulation and examination of statistical data for the purpose of enhancing the FIVE’s offerings.
13.8 Data Processing during bookings received through a booking platform
13.9 Data Processing when Reserving a Table
On FIVE’s website, guests have the option to initiate a table reservation at a restaurant featured on the website. To facilitate this process, the establishment gathers specific data, and obligatory fields for reservations made via the website are identified by an asterisk (*):
- First name
- Last name
- Date of Birth
- Number of guests
- Email address
- Phone number
- Menu or offer type
- Date and time of the reservation
The data is collected and processed with the primary objective of managing the reservation procedure. This encompasses tailoring the reservation request according to the individual’s preferences and initiating contact in case of uncertainties or issues. FIVE retains this data alongside pertinent reservation particulars (such as request date and time), reservation information (including table assignment), and information related to contract execution and performance. This approach ensures the accurate processing of reservations and proper fulfillment of contractual obligations.
To process table reservations, FIVE uses a software application provided by SEVENROOMS INC, 228 Park Ave South, PMB 33706, New York, NY 10003, the provider of our restaurant reservation system. It may receive and share with us any personal data you provide to it, either directly, including by email, or through our website, mobile application or social media accounts. Its privacy related terms are accessible here: https://sevenrooms.com/en/privacy-policy/.
13.10 Data processing during payment processing
When guests use electronic payment methods for purchases, services, or reservations at FIVE (including F&B outlets), personal data processing is required. Payment instrument details are sent to payment providers via terminals. These providers also receive transaction specifics. FIVE gets payment confirmations with receipt numbers. In case of online booking and payments, Guests should check provider policies and terms.
For processing payment through payment links sent to guests/ payment processing at the hotel, FIVE uses services of a third-party platform, Planet Payment Group Holdings Ltd., Martin House, IDA Business Park, Dangan, Galway, H91 A06C, as the provider for our payment processing solution (Planet/3C). FIVE does not have access to and thereby does not control any personal data directly shared with or through Planet/3C. Please refer to their privacy statements with respect to their data processing, accessible here: https://www.planetpayment.com/en/privacy/; https://www.planetpayment.com/en/gdpr-compliance/
13.11 Data Processing related to the recording and Invoicing of rendered Services
In instances where guests avail themselves of services throughout their stay (such as extended nights, wellness treatments, restaurant amenities, or activities), beyond their contractual information, FIVE undertakes the collection and processing of booking particulars (comprising booking time and comments) along with data pertinent to the reserved and rendered services (encompassing service description, cost, and time of service provision). The primary intent of this data processing is to effectively manage the execution of the provided service.
13.12 Data Processing related to Email Marketing
If the guest registers for FIVE’s marketing emails to be aware of the marketing offers, (eg. as part of an order, booking, or reservation), the following data is collected. Mandatory fields are marked with an asterisk (*):
- -Email address
- First and last name
- Date of Birth
- Anniversary Date
By agreeing to the terms and conditions, the guest consents to the processing of this data in order to receive marketing emails from us about our hotel and related information on products and services. These marketing emails may also include invitations to participate in contests, to provide feedback, or to rate our products and services. The collection of the salutation, first and last name allows us to associate the registration with any existing customer profile and personalize the content of the marketing emails accordingly.
FIVE shall use the data to send marketing emails until consent is withdrawn. The guest can withdraw their consent at any time, in particular by using the unsubscribe link included in all marketing emails. For sending marketing emails, we use a software application provided by Travelclick (Amadeus Hospitality). Therefore, your data may be stored in a database of the company, which may allow them to access data if this is necessary for providing the software and supporting its use.
13.13 Data Processing when Submitting Guest Feedback
During stay or post-stay, all guests have an opportunity to provide FIVE with feedback (e.g., positive feedback, criticism, and suggestions for improvement) through in-stay and post-stay survey with questions grading on cleanliness, services, sustainability among others. For this purpose, the following data is collected –
- First and last name
- Duration of stay
The processing of your data is carried out as part of our quality management and ultimately aims to better tailor our services and products to the needs of our guests. Specifically, your data is processed for the following purposes:
– Clarification of the request, e.g., obtaining input from employees and supervisors or seeking further information from you, etc.;
– Evaluation and analysis of information, e.g. compiling satisfaction statistics, com-paring individual services, etc.; or
– Taking organizational measures based on the findings, e.g. addressing shortcomings/deficiencies/misconduct, for example, through repairing defective equipment, providing instructions, as well as giving praise or issuing warnings to employees
In connection with guest feedback, FIVE uses a software application provided by Shiji Information Technology Spain, S.A, Passeig de Gràcia, 17, planta 6, 08007 Barcelona (Spain), the provider of our guest experience improvement suite (ReviewPro). It may receive and share with us any personal data you provide to it through the dedicated platform in the course of providing a feedback on the stay. Its privacy related terms are accessible here: https://www.reviewpro.com/privacy/.
13.14 Data Processing in connection with Video Surveillance
To ensure the safety of our guests, employees, and our property, as well as to prevent and address unlawful behavior (in particular, theft and property damage), the entrance area and the publicly accessible areas of our hotel, excluding sanitary facilities and employee office premises, maybe monitored by cameras. The image data will only be viewed if there is a suspicion of unlawful behaviour. Otherwise, the recorded images will be automatically deleted as per the guidelines suggested by local laws and regulations.
We currently use video surveillance as described below. We believe such use is necessary for legitimate business purposes, including:
- prevent crime and protect buildings and assets from damage, disturbance, vandalism and other crime,
- for the personal safety of customers, staff, guests and visitors and other members of the public and as a deterrent to crime,
- Assisting law enforcement agencies in preventing, detecting and prosecuting criminal offences,
- Assisting with day-to-day work, including ensuring the health and safety of customers, guests, staff and others.
Camera locations are chosen to minimize viewing of areas not relevant to the legitimate purpose of surveillance. As far as practicable, surveillance cameras are not aimed at private homes, gardens or other areas of private property.
Personnel using surveillance systems are appropriately trained to ensure they understand and comply with legal requirements related to the processing of relevant data.
The server is stored at a central secure place in the Engineering Office (locked). The system is set up with an authorization structure that will only give selected employees (access to the video recordings.
Recording Duration: Detected movements are recorded with this system and deleted again after 72 hours in order to comply with data protection requirements. (in case of Zurich). Applicable timeline in case of Dubai as per regulatory requirements.
To ensure that the rights of those captured by the CCTV system are protected, we will ensure that the data captured by CCTV cameras is stored in a manner that maintains its integrity and security. This may also include encrypting the data where possible.
The data recorded by the CCTV system is stored digitally. CCTV camera data is not kept indefinitely but is permanently deleted once there is no longer a reason to keep the recorded information in line with legal requirements. Exactly how long the images are kept depends on the purpose for which they were recorded.
13.15 Data Processing for Fulfilling Legal Reporting Obligations
Upon arrival at the hotel, FIVE may require the following information from the guests and their accompanying persons:
- First and last name
- Billing address
- Date of birth
- Identity card or passport
- Date of arrival and departure
FIVE collects this information to fulfil legal reporting obligations, which arise in particular from hospitality or police regulations. To the extent required by applicable laws, this information is forwarded to the competent authority.
13.16 Data Processing in Job Applications
Applicants can apply for a position at FIVE either spontaneously or in response to a specific job advertisement. In both cases, FIVE will process the personal data provided by the applicants.
FIVE uses the data to assess the application and suitability for employment. Application documents from unsuccessful applicants may be retained for a period of five years.
13.17 Data Processing when Visiting our Website (Log File Data)
When an individual visits the FIVE Website, the servers of our hosting provider may temporarily store every access in a log file. The following data is collected without your intervention and stored by us until automatically deleted:
- IP address of the requesting computer;
- date and time of access;
- name and URL of the accessed file;
- website from which the access was made, if applicable, with the search word used;
- operating system of your computer and the browser you are using (including type, ver-sion, and language setting);
- device type in case of access from mobile phones;
- city or region from which the access was made;
This data is automatically deleted post termination of access and not stored on our server.
13.18 Data Processing with regards to Social Media platforms
FIVE website contains links to its profiles on the social networks of the following providers:
If the individual clicks on the icons of the social networks, the individual will be automatically redirected to our profile on the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the social network receives information that the individual has visited the FIVE Website with the IP address and clicked on the link. This may also involve the transfer of data to servers abroad.
If the individual clicks on a link to a social network while logged into their user account on that social network, the content of our website can be associated with your profile, allowing the social network to directly link your visit to our website to your account. If this must be prevented, please log out of the account before clicking on the respective links. A connection between access to the website and the user account will always be established if one logs in to the respective social network after clicking on the link. The data processing associated with this is the responsibility of the respective provider in terms of data protection. Therefore, please refer to the privacy notices on the social network’s website.
Social media plugins are added to make it easier for the individual to share content from the website. The social media plugins help us to increase the visibility of our content on social networks, thereby contributing to better marketing.
The plugins are deactivated by default on the website, and therefore, no data is sent to the social networks when the Website is accessed. To enhance data protection, FIVE has integrated the plugins in such a way that a connection is not automatically established with the servers of the social networks. Only when the individual activates the plugins by clicking on them, and thus give the consent to the transmission and further processing of data by the providers of the social networks, the browser establishes a direct connection to the servers of the respective social network.
13.19 Online advertising and targeting
We use the services of various companies to provide you with interesting offers online. In the process of doing this, your user behavior on our website and websites of other providers is analyzed in order to subsequently be able to show you online advertising that is individually tailored to you.
Most technologies for tracking your user behavior (Tracking) and displaying targeted advertising (Targeting) utilize cookies, which allow your browser to be recognized across different websites. Depending on the service provider, it may also be possible for you to be recognized online even when using different end devices (e.g., laptop and smartphone).
In addition to the data already mentioned, which is collected when visiting websites and using cookies and which may be transmitted to the companies involved in the advertising networks, the following data, in particular, is used to select the advertising that is potentially most relevant to you:
- information about you that you provided when registering or using a service from advertising partners (e.g., your gender, age group); and
- user behaviour (e.g., search queries, interactions with advertisements, types of websites visited, products or services viewed and purchased, newsletters subscribed to).
We and our service providers use this data to determine whether you belong to the target audience we address and take this into account when selecting advertisements. . For example, after visiting our website, you may see advertisements for the products or ser-vices you have viewed when you visit other sites (Re-targeting). Depending on the amount of data, a user profile may also be created, which is automatically analyzed; the advertisements are then selected based on the information stored in the profile, such as belonging to certain demographic segments or potential interests or behaviors’. These advertisements may be displayed to you on various channels, including our website or app (as part of on- and in-app marketing), as well as advertising placements provided through the online advertising networks we use, such as Google.
The data may then be analyzed for the purpose of settlement with the service provider, as well as for evaluating the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. This may also include information that the performance of an action (e.g., visiting certain sections of our Website or submitting information) can be attributed to a specific advertising. We also receive from service providers aggregated reports of advertisement activity and information on how users interact with our website and advertisements.
14 RETENTION OF DATA
- FIVE shall not retain any Personal Information for longer than necessary considering the purpose(s) for which that data is collected, held, and processed.
- When establishing and/or reviewing data retention periods, the following shall be considered:
- The objectives and requirements of Five.
- The type of Personal Information in question.
- The purpose(s) for which the data in question is collected, held and processed.
- FIVE’s legal basis for collecting, holding, and Processing that data; and
- The category or categories of Data Subject to which the data relates.
- Personal Information will be retained as per defined FIVE’s Data Retention Procedure (refer to FIVE_Hotels_Data Retention Procedure)
- Requirements that oblige us to retain data arise from the accounting and tax law regulations
- FIVE has a statutory duty to keep records of employees and guests and should be retained for lawful business purposes.
15 DISPOSAL OF DATA
- Upon the expiry of the data retention periods, or when a Data Subject exercises their right to have their Personal Information erased, Personal Information shall be deleted, destroyed, or otherwise disposed of as follows:
- Personal Information stored electronically shall be permanently deleted
- Personal Information stored in hardcopy form shall be shredded and securely disposed off.
16 SHARING OF DATA
16.1 INFORMATION DISCLOSURE
- FIVE may disclose Personal Information which is believed to be necessary or appropriate:
- Under applicable law, including laws outside the country of residence.
- To comply with legal processes.
- To respond to requests from public and government authorities, including public and government authorities outside the country of residence, for national security and/or law enforcement purposes.
- To allow FIVE to pursue available remedies or limit the damages that may sustain government authorities outside the country of residence,
- In the event of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of business, assets or stock (including in connection with any bankruptcy or similar proceedings), FIVE may transfer the Personal Information which has been collected to the relevant third party.
- FIVE may share information with government agencies or companies assisting in fraud prevention or investigation. Also, when:
- Permitted or required by law; or,
- Trying to prevent – actual fraud, potential fraud, or unauthorized transactions,
- Investigating fraud which has already taken place.
The information should not be provided to data gathering companies for marketing purposes.
- FIVE may share personal information (which may sometimes include sensitive personal information) within the corporate group who require the information for the purposes in this policy. This will include sharing your personal information with FIVE entities in countries other than where the information was originally collected.
16.2 CROSS- BORDER DATA TRANSFERS INTRA-GROUP
Personal Information transferred across geographies from where FIVE operates should follow the following:
- When personal / sensitive information is being transferred, consent needs to be obtained from the individual
- Data transfer agreement with the party who will access or obtain the personal information, or
Binding corporate rules that ensure an adequate level of data protection in cross-border data flows within a single legal entity or a group of affiliated companies.
- The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise, or defense of legal claims.
- The transfer is necessary in order to protect the vital interests of the individual.
- The transfer is otherwise legitimized by applicable laws.
16.3 DATA TRANSFER TO THIRD PARTIES
- When conducting business with a third party and sharing, Processing of personal information, in addition to checking with FIVE’s legal team, Third Party may not engage its Sub-Processor for carrying out specific processing activities on behalf of FIVE unless a legally binding written agreement is in place with such Sub-Processor With respect to FIVE data transfer.
- Furthermore, your data may be disclosed, especially to authorities, legal advisors, or debt collection agencies, if we are legally obliged to do so or if it is necessary to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof, and such disclosure is necessary to conduct due diligence or to complete the transaction.
- For any data transfer done with third countries (countries where data protection laws are not considered adequate as per the GDPR/ FADP), FIVE shall enter into agreements with data protection clauses with respective partners for them to maintain proper organizational and technical safeguards for data protection.
- For the purpose of customising and continuously optimising our Website, we use the web analytics services listed. In this context, pseudonymised usage profiles are created, and cookies are used. The information generated by the cookie regarding your use of our Website is usually transmit-ted to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad.
- Through the data processing, we obtain, among others, the following information:
- navigation path followed by a visitor on the site (including content viewed, products selected or purchased, or services booked);
- time spent on the Website or specific page;
- the specific page from which the Website is left;
- the country, region, or city from where an access is made;
- end device (type, version, colour depth, resolution, width, and height of the browser window); and
- returning or new visitor.
- The provider, on our behalf, will use this information to evaluate the use of the Website, in particular to compile Website activity reports and provide further services related to Website usage and internet usage for the purposes of market research and the customisation of the Website. For these processing activities, we and the providers may be considered joint controllers in terms of data protection to a certain extent.
17 COMMITMENT TO DATA SECURITY
- FIVE shall deploy appropriate physical, organizational, and technological safeguards to ensure timely availability and protect Personal Information from unauthorized disclosure, use, modification, and destruction. FIVE must commit to implementing technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- FIVE uses appropriate technical and organizational security measures to protect your personal da-ta stored with us against loss and unlawful processing, in particular unauthorized access by third parties. Our employees and the service companies mandated by us are obliged to maintain confidentiality and uphold data protection. Furthermore, these persons are only granted access to personal data to the extent necessary for the performance of their tasks.
- Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot, therefore, provide any absolute guarantee for the security of information transmitted in this way.
- Breaches of this Policy must be reported to Data Privacy Officer. FIVE shall deal with data privacy breaches in accordance with the Information Security Incident Management Procedure (refer to FIVE_Hotels_Incident Management Procedure).
18 MONITORING AND ENFORCEMENT
- The process shall be established for recording and responding to complaints/ grievances registered by Data Subjects.
- Each complaint regarding privacy practices registered by Data Subjects shall be validated, responses are documented and communicated to the individual.
- An annual privacy compliance review shall be performed for identified business processes and their supporting applications.
- A record shall be maintained of non-compliances identified in the annual privacy reviews. Corrective and disciplinary measures shall be initiated and tracked to closure, guided by FIVE’s management.
- The process shall be established to monitor the effectiveness of controls for Personal Information and for ensuring corrective actions, as required.
- Any conflicts or disagreements relating to the requirements under this policy or associated privacy practices shall be referred to the Data Privacy Officer for resolution
19 DATA BREACH RESPONSE AND GUIDELINES
- In the case of a Personal Information breach, FIVE shall without undue delay and, where feasible, after having become aware of it, notify the Personal Information breach to the commissioner/ supervisory authority. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
- The Processor shall notify FIVE without undue delay after becoming aware of a Personal Information breach.
- The Personal Information breach notification shall at least:
- Describe the nature of the Personal Information breach including details about categories of information affected and the approximate number of Data Subjects affected,
- Communicate the name and contact details of the data protection officer or other contact pointswhere more information can be obtained;
- Describe the likely consequences of the Personal Information breach;
- Describe the measures taken or proposed to be taken by FIVE to address and mitigate the Personal Information breach.
- Where, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
- FIVE will keep a record of any Personal Information breach, including what happened, how it affected people, and what was done to fix the problem. That documentation shall enable the supervisory authority to verify compliance with this policy.
20 INDIVIDUAL RESPONSIBILITIES
Individuals are responsible for helping FIVE keep their personal data updated. The following are the responsibilities of individuals who have access to personal data:
- The individuals having access to personal data are required to access only data they have access to, for authorized purpose.
- The data shall be disclosed to only authorized individuals within or outside the organization and the data should be kept secured.
- No devices containing personal data shall be left or removed without adopting adequate security measures to secure the data.
- No personal data shall be stored on local drives or on personal devices.
- Data breaches in case of any shall be reported immediately.
- FIVE will provide training on data protection responsibilities for all the individual along with the induction process and at regular intervals thereafter.
- Additional training will be provided on the duties and compliance to individuals with regular access to personal data and the individuals responsible for implementing this policy.
22 ROLES AND RESPONSIBILITIES OF DPO
- A DPO must have knowledge of the Data Privacy Law and shall ensure that FIVE follows compliance as per the law
- FIVE shall ensure, its DPO is properly involved in timely manner, on all issues relating to the protection of Personal Information and is given sufficient resources necessary to carry out the role
- DPO must monitor any policies relating to the protection of Personal Information, including the assignment of responsibilities, awareness – raising and training of staff involved in processing operations and related audits
- DPO must notify and advise FIVE and its processing staff of its obligations under this policy., including where the organization is subject to overseas provisions with extra-territorial effect
- Act as the contact point for the commissioner/ supervisory authority on issues relating to processing
- Define and communicate the privacy data breach response plan.
23 RACI MATRIX
The RACI Matrix lays out all the deliverables against members’ roles, while responsibilities and decision-making are delegated to each role using the four elements comprising RACI.
|Policy development and maintenance||DPO||Group Direct Cyber security||Group Director IT||Security Steering Committee|
|Policy Approvals||Group Direct Cyber security||Group Director IT||Group Director IT / Legal Team||Security Steering Committee|
|Policy Enforcement||DPO||Asset Owner||Group Director IT||Security Steering Committee|
|Policy Compliance Monitoring||DPO||IT team/ Legal Team, Group Direct Cyber security
|Group Director IT||IT team/ Legal Team|
|Exception Approvals||DPO||IT team/ Legal Team||Group Director IT||Security Steering Committee|
24 REVIEW FREQUENCY
- Team shall review its security controls periodically to ensure that they comply with the FIVE asset management policy. This compliance shall also be checked during internal audits.
25.1 PERSONALLY IDENTIFIABLE INFORMATION (PII) OF FIVE EMPLOYEES
- Data protection laws govern the use of personally identifiable information. This term means any data relating to an individual who can be identified using that data.
- FIVE may hold the following types of PII:
- Names, voice, addresses, telephone numbers, passport number, identification number and other personal contact details;
- Gender, date of birth, physical or mental health or condition;
- Immigration status, trade union membership;
- Personnel records including training, appraisal, performance and disciplinary information, and succession planning;
- Bank details, salary, bonus, benefits, tax details and pension details and other financial information.
- All FIVE employees will be required to provide the consent to FIVE management for data obtained, processed and stored for the purpose of employment related activities.
25.2 SENSITIVE PERSONAL INFORMATION (SPI) OF FIVE EMPLOYEE
FIVE may hold the following types of SPI:
- Race, Ethnicity, Political view, Philosophical views, Sexual state
- Religious beliefs
- Biometric data
- Health Data
- Criminal offences committed (or allegedly committed) including any proceedings and sentencing in relation to any such criminal offence.
25.3 EMPLOYEE DATA PROCESSING ACTIVITIES
- Personal Information about individuals may only be processed for a legitimate purpose. FIVE may undertake several activities with an individual employee’s Personal Information including, but not limited to:
- Salary, benefits and pensions administration;
- Health and safety records and management;
- Security vetting, criminal records checks and credit checks and clearances (where applicable and allowed by law);
- Confirming information on résumés, CVs and covering letters, providing reference letters and performing reference checks;
- Training and appraisal, including performance evaluation and disciplinary records;
- Staff management and promotions;
- Any potential change of control of a group company, or any potential transfer of employment relating to a business transfer or change of service provider;
- Other disclosures required in the context of staff employment;
- Promoting or marketing of FIVE, its products or services;
- Compliance with applicable process, laws, regulations, including any related investigations to ensure compliance or of any potential breaches;
- Establishing, exercising or defending FIVE legal rights;
- Disclosures to other companies in the FIVE including companies in other countries to the extent permitted by law, including for the following purposes: as required in connection with the duties of the employee; legal compliance; audit; group level management; in connection with the fulfilment of Guests and partner contracts;
- Any other reasonable purposes in connection with an individual’s employment or engagement by FIVE;
- Providing and managing use of services provided by third parties, such as company provided mobile phones and laptops and billing for such services.
- Personal Information can be collected and processed in case of Emergency so they can be contacted in an emergency.
- FIVE may disclose Personal Information to contractor employees and suppliers that provide services to them and also to law enforcement agencies, regulatory bodies, government agencies, and other third parties as required by law or for administration/taxation purposes, to the extent local law allows and requires.
- FIVE may disclose Personal Information to third parties for the purposes of establishing and managing your employment relationship. For example, FIVE may disclose some of your Personal Information to:
- benefits providers (for example, pension and insurance providers);
- payroll and data Processing suppliers and other service providers who assist us in establishing or managing your employment relationship with us;
- insurance claims and medical-related service providers; and
- parties requesting an employment reference.
- FIVE shall take appropriate measures to ensure that its contractor employees and suppliers also process Personal Information in a compliant way and such measures may include a data Processing agreement.
|Data Processor||An entity such as all external parties – including without limitation contractor employees, vendors, service providers that processes data on behalf of an organization.|
|Controller||Any person who alone or jointly with others determines the purposes and means of the Processing of Personal information|
|Access||The ability to use, modify or manipulate an information resource or to gain entry to a physical area or location.|
|Anonymize||Processing of Personal Information in such a manner that a natural person cannot be identified on the basis of output Processing of data or information|
|Data Subject||A living individual about whom Personal Information is processed by or on behalf of FIVE (includes Customer, Guests, Employees , Vendors etc)|
|Privacy by design||Is an approach to systems engineering that seeks to ensure protection for the privacy of individuals by integrating considerations of privacy issues from the very beginning of the development of products, services, business practices, and physical infrastructures.|
|Information security||Preservation of confidentiality, integrity, and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.|
|Statistical Purposes||Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or to produce statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose.|
|High-Risk Processing Activities||Processing of Personal Information where one or more of the following applies:
(a) Processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise his rights;
(b) a considerable amount of Personal Information will be Processed (including staff and contractor Personal information) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal Information or risks relating to the security, integrity or privacy of the personal information;
(c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
(d) a material amount of Special Categories of Personal Information is to be Processed.
|Processing||To Process or Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, irrespective of the equipment and procedures used, including:
|Record of Processing Activities (ROPA)||A record of an organization’s processing activities involving personal data.|
|Sub- Processor||A Sub-Processor is a third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller.|
|Personal Information||Any type of information related to identified or identifiable individuals, or information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.|
|Sensitive Personal Information or Special categories of personal information||EU General Data Protection Regulation (GDPR)
Sensitive Personal Information means Personal Information consisting of information as to: