CHINA ADDENDUM TO THE GLOBAL HOTEL ALLIANCE - PRIVACY POLICY

 

This China Addendum to the Global Hotel Alliance - Privacy Policy ("Addendum") is a part of the Global Hotel Alliance - Privacy Policy ("Privacy Policy") and should be read in conjunction with it and can be found here.

Please get in touch with us using the information in the "HOW TO CONTACT US" section below if you have any questions about the Privacy Policy or this Addendum.

 

1. ABOUT THIS ADDENDUM

 

Protecting your Personal Information is very important to GHA, and this Addendum describes the practices that we follow as a Personal Information Processor to Process Personal Information that is protected by the PIPL. Specifically, this Addendum applies to any activity where we Process the Personal Information of a natural person within China or where we Process the Personal Information of a natural person outside China under the following circumstances:

  • where the purpose of the activity is to provide a product or service to a natural person located within China;
  • where the purpose of the activity is to analyse or assess the behaviour of a natural person located within China; or
  • any other circumstance as provided by law or administrative regulations.

This Addendum describes:

  • definitions;
  • how we collect and Process your Personal Information;
  • transfers of Personal Information;
  • your rights; and
  • how to contact us.

If the terms of the Privacy Policy and this Addendum conflict in relation to Personal Information protected by the PIPL, this Addendum prevails.

 

2. DEFINITIONS

 

In this Addendum, we use some special words and phrases. The following definitions apply to those special words and phrases:

"Anonymisation" refers to the process in which any Personal Information is Processed to the extent that it cannot identify a specific natural person and cannot be restored to its original state.

"China" for the purposes of this policy refers to mainland China only and does not refer to the Hong Kong Special Administrative Region, Macau Special Administrative Region, or Taiwan China.

"Controller" or "Personal Information Processor" refers to any organisation or individual that independently determines the purpose and method of Processing in their activities of Processing of Personal Information.

"Entrusted Processor" generally refers to any vendor or service provider we engage to Process Personal Information on our behalf under a contract that meets the requirements in Article 21 of the PIPL.

"GHA", "us", or "we" refers to GHA Loyalty DMCC, a legal entity with a place of business at 21st Floor, JBC5 Tower, Jumeirah Lake Towers, PO Box 487771 Dubai, United Arab Emirates.

"Overseas Recipient" refers to an organisation or individual located outside China that receives Personal Information from GHA.

"Personal Information", "Personal Data", or "Data" all bear the same meaning for the purposes of this Addendum and refer to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been Anonymised.

"PIPL" means the Personal Information Protection Law of the People's Republic of China. 

"Processing", "Process", or "Processed" includes the collection, storage, use, editing, transmission, provision, disclosure, and deletion of Personal Information.

"Relevant Laws and Regulations" refers to the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Civil Code of the People's Republic of China, and other applicable laws and regulations of the People's Republic of China.

"SDK" refers to Software Development Kit, which is usually a software tool used to assist application development to realise specific functions of the application. Common SDK types include advertising, push, statistics, maps, third-party login, social payment, risk control, identity authorisation, framework, etc.

"Security Incident" refers to the unlawful or accidental destruction, alteration, loss, misuse, access, modification, or disclosure of Personal Information.

"Sensitive Personal Information" refers to Personal Information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any Personal Information of a minor under the age of 14.

"Sites" refers to es.ghadiscovery.com, the GHA DISCOVERY mobile application, and other websites and applications operated by or on behalf of GHA.

 

3. HOW WE COLLECT AND PROCESS YOUR PERSONAL INFORMATION

 

We only Process your Personal Information if there is a legal basis. The legal bases we rely on to Process Personal Information may depend on the specific purposes we are trying to achieve. We typically rely on one or more of the following legal bases:

  • where it is necessary for the conclusion or performance of a contract to which you are a contracting party;
  • where it is necessary for performing a statutory responsibility or statutory obligation;
  • where it is necessary for responding to a public health emergency or for protecting the life, health, or property safety of a natural person in the case of an emergency; and
  • any other circumstance as provided by Relevant Laws and Regulations.

Where none of the above legal bases apply, we will seek your consent before Processing your Personal Information.

 

Types of Personal Information we collect

We collect the Personal Information from you as follows:

Type of Personal InformationPersonal Information ElementsRetention Period
Browsing the SitesIP Address
Internet Service Provider 
Login frequency
Pages visited within the Sites
Operating system
Website or mobile apps from which an accessing system reaches Sites*
Internet browser
6 Months
Contacting usPersonal Information you voluntarily provide when you send us an enquiry or support request via email*
Records of your communications with us*
Indefinitely until deletion is requested
SurveysSurvey feedback*1 year
GHA DISCOVERY Member registration informationMember number
Email address
Name
Phone number
Date of birth
Preferred communication methods
Language preference
Preferences and interests
Physical address
Member password*
Indefinitely until deletion is requested
GHA DISCOVERY reservation informationHotel booked
Booking, Arrival and Departure Date
Number of room occupants (Adults, Children)
Room category booked
Price
Indefinitely until deletion is requested
GHA DISCOVERY travel purchase informationBilling address of credit cards used to purchase travel*
Credit card information, including card number, card type, cardholder name, and expiration date*
1 year
CookiesCookies*1 Year

 

We have marked Sensitive Personal Information that we Process with "*" for your reference. We need to Process your Sensitive Personal Information to achieve the purposes described below. Before we Process your Sensitive Personal Information, we will seek your separate consent in accordance with Relevant Laws and Regulations.

We do not collect Personal Information from minors under the age of 14. Please ensure that minors in your care do not send us their Personal Information without your consent. If we have received the Personal Information of any minor under the age of 14 in your care, you can get in touch with us using the information in the "HOW TO CONTACT US" section below to have such Personal Information deleted.

 

Our Processing purposes

We Process your Personal Information for the following purposes:

PurposeTypes of Personal Information
Administering your account and calculating DISCOVERY Dollars (D$)GHA DISCOVERY Member registration information
GHA DISCOVERY reservation information
Assisting your planning and purchasing of travelGHA DISCOVERY Member registration information
GHA DISCOVERY reservation information
GHA DISCOVERY travel purchase information
Notifying you of travel changesGHA DISCOVERY Member registration information
GHA DISCOVERY reservation information
Sending marketing communications or surveys to youGHA DISCOVERY Member registration information
GHA DISCOVERY reservation information
Any other information you may provide in response to the survey
Responding to your questions or suggestionsGHA DISCOVERY Member registration information
GHA DISCOVERY reservation information
Any other information you may voluntarily provide
Improving the quality of your visit to our SitesCookies information and technical information about your device
Amending or updating your profile and preference detailsGHA DISCOVERY Member registration information

 

When you use our application and WeChat mini program, to ensure the normal, safe, and stable operation of related services and functions, we may seek the following device operating system permissions from you:

Name of system permissionsDescriptionPurposesApplicable platforms

android.permission.ACCESS_NETWORK_STATE

View network status.Allows an application to view the status of all networks.Android

android.permission.INTERNET

To perform network operations in your application.Grant permission for your application to access the internet.Android

android.permission.ACCESS_FINE_LOCATION

Allows ask for foreground precise location access. Checks Accurate location.Permits requesting foreground access to precise location. Verifies exact location.Android

android.permission.ACCESS_COARSE_LOCATION

Allows ask for foreground location access. Verifies zones geographical areas.Allows location access. Confirms geographical zones.Android

android.permission.WRITE_CALENDAR

Allows an application to write the user's calendar data.To access Calendar, write permissions.Android

android.permission.READ_CALENDAR

Allows an application to read the user's calendar data.Grants permission for an application to access and read the user's calendar data.Android

${applicationId}.permission.RSYS_SHOW_IAM

To show an In-App message or Rich Push message on Android || Responsys.To receive notifications or messages within an app on their Android device.Android

${applicationId}.permission.PUSHIO_MESSAGE

To handle push notifications || Responsys.To manage incoming push notifications effectively on their device.Android

${applicationId}.permission.C2D_MESSAGE

Prevents other applications from registering and receiving the application's messages || Responsys.Ensures that only the intended application can receive and process its messages, blocking interference from other apps.Android

NSUserTrackingUsageDescription

A message that informs the user why an app is requesting permission to use data for tracking the user or the device.To track user or device data.IOS

NSCalendarsUsageDescription

A message that tells people why the app is requesting access to their calendar data.A notification that clarifies the reason for the app's request to access users' calendar data.IOS

NSCameraUsageDescription

A message that tells the user why the app is requesting access to the device’s camera.To access device's camera.IOS

NSLocationAlwaysAndWhenInUseUsageDescription

A message that tells the user why the app is requesting access to the user’s location information at all times.To have continuous access to the location information, when app is in use.IOS

NSLocationAlwaysUsageDescription

A message that tells the user why the app is requesting access to the user's location at all times.To have continuous access to the location information, when app is in use and also not in use.IOS

NSLocationUsageDescription

A message that tells the user why the app is requesting access to the user’s location information.App needs access to the user's location even when the app is not in use, for example, when the app is running in the background.IOS

NSLocationWhenInUseUsageDescription

A message that tells the user why the app is requesting access to the user’s location information while the app is running in the foreground.Appears in the permission dialog that iOS presents to the user when they first launch the app and it requests permission to access their location.IOS

NSPhotoLibraryUsageDescription

A message that tells the user why the app is requesting access to the user’s photo library.To access users' photo library.IOS

 

 

4. TRANSFERS OF PERSONAL INFORMATION

 

Entrusted Processing

In order to provide certain services to you, we may need to engage an Entrusted Processor to Process some of your Personal Information. We will enter into strict confidentiality agreements and include Personal Information protection clauses in other agreements with Entrusted Processors that require them to process and protect your Personal Information in accordance with our own high standards, this Addendum and Relevant Laws and Regulations.

Typical examples of Entrusted Processors that we engage with include:

  • Professional advisors, such as lawyers, accountants, tax consultants, etc.;
  • Technical experts, such as IT security specialists, etc.; and
  • Others, such as marketing experts, surveyors, etc.

 

Domestic Transfers

RecipientContact DetailsProcessing PurposeTypes of Personal InformationMethods of Processing
Capella Tufu Bay, Hainan

[email protected]

For the operation of the GHA DISCOVERY loyalty programme, including recognising and rewarding members for their stays at the hotelProgramme Participant details including travel booking information; identification data (name and surnames, NIF/ID Card, address, telephone, mail, signature, electronic signature); personal characteristics data (civil status, date of birth, place of birth, age, sex, nationality, native language); data relating to social circumstances (interests and lifestyle, membership in the loyalty program, membership number).Automated and manual input and exchange of Personal Information, using digital systems to interface between the hotels and GHA Loyalty DMCC.
Capella Shanghai, Jian Ye Li

[email protected]

   
Kempinski Hotel Chongqing China

[email protected]

   
Kempinski Hotel Changsha

[email protected]

   
Kempinski Hotel Chengdu China

[email protected]

   
Kempinski Hotel Dalian China

[email protected]

   
Kempinski Hotel Fuzhou

[email protected]

   
Kempinski Hotel Hangzhou China

[email protected]

   
Kempinski Hotel Yinchuan China

[email protected]

   
Kempinski Hotel Guiyang China

[email protected]

   
Kempinski Hotel Nanjing China

[email protected]

   
Kempinski Hotel Beijing Yansha Center

[email protected]

   
Sunrise Kempinski Hotel Beijing

[email protected]

   
Yanqi Hotel Beijing managed by Kempinski

[email protected]

   
Yanqi Island Pavilion Beijing managed by Kempinski

[email protected]

   
Grand Kempinski Hotel Shanghai China

[email protected]

   
Kempinski Hotel Suzhou

[email protected]

   
Kempinski Hotel Shenzhen

[email protected]

   
Kempinski Hotel Jinan

[email protected]

   
Kempinski Hotel Taiyuan China

[email protected]

   
Kempinski Hotel Xiamen China

[email protected]

   
Kempinski Residences Guangzhou

[email protected]

   
Kempinski The One Suites Hotel Shanghai Downtown

[email protected]

   
NUO Hotel Beijing

[email protected]

   
Beijing Hotel NUO

[email protected]

   
Anantara Guiyang Resort

[email protected]

   
Anantara Xishuangbanna Resort

[email protected]

   
NH Zhengzhou Jinshui

[email protected]

   
Oaks Chengdu at Cultural Heritage Park

[email protected]

   
Tivoli Chengdu at Cultural Heritage Park

[email protected]

   
Pan Pacific Ningbo

[email protected]

   
Pan Pacific Beijing

[email protected]

   
Pan Pacific Suzhou

[email protected]

   
Pan Pacific Tianjin

[email protected]

   
Pan Pacific Xiamen

[email protected]

   
The Sukhothai Shanghai

[email protected]

   
Gateway, Hong Kong

[email protected]

   
Marco Polo Hongkong Hotel

[email protected]

   
Marco Polo Jinjiang Hotel

[email protected]

   
Prince, Hong Kong

[email protected]

   
Marco Polo Parkside,Beijing

[email protected]

   
Marco Polo Wuhan

[email protected]

   
Marco Polo Xiamen

[email protected]

   
Maqo Changsha

[email protected]

   
Niccolo Chengdu

[email protected]

   
Niccolo Chongqing

[email protected]

   
Niccolo Changsha

[email protected]

   
The Murray, Hong Kong, A Niccolo Hotel

[email protected]

   
Niccolo Suzhou

[email protected]

   

 

In order to provide you with the best guest experience possible, we need to share your Personal Information with third parties within China. Please see the list below for more information about the third parties within China that may receive your Personal Information: Before we transfer your Personal Information or Sensitive Personal Information, we will seek your separate consent in accordance with Relevant Laws and Regulations.

 

Transfers outside China

As a result of the global nature of our business, Members' Personal Information will need to be transferred to Overseas Recipients. Please see the list below for more information about the Overseas Recipients that may receive your Personal Information:

Overseas RecipientCountryContact DetailsProcessing PurposeTypes of Personal InformationMethods of ProcessingRetention Period
Opera Reservation SystemFrankfurt, Germany

https://www.oracle.com/legal/privacy/data-protection-authority/

Reservations Management PlatformComplete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay historyCollection, Storage, User, Editing, Transmission, DeletionUnlimited
Opera Customer Information PlatformFrankfurt, Germany

https://www.oracle.com/legal/privacy/data-protection-authority/

Customer Information PlatformComplete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay historyCollection, Storage, User, Editing, Transmission, Provision and DeletionUnlimited until the consent to participate at GHA DISCOVERY is withdrawn
Oracle ResponsysAmsterdam, Netherlands

https://www.oracle.com/legal/privacy/data-protection-authority/

Campaign management platformComplete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay history, behavioural and engagement dataStorage
Use
 
Unlimited until the consent to participate at GHA DISCOVERY is withdrawn
FusionAuthFrankfurt, Germany

https://fusionauth.io/contact

Hosting of Authentication credentialsEmail, Username, First Name, Last Name and EmailCollection, Storage, Use, Editing, DeletionUnlimited until the consent to participate at GHA DISCOVERY is withdrawn

 

If you would like to exercise any of your legal rights over your Personal Information in accordance with Relevant Laws and Regulations against any of the Overseas Recipients named above, please get in touch with us using the information in the "HOW TO CONTACT US" section below.

Before we transfer your Personal Information or Sensitive Personal Information outside China, we will seek your separate consent in accordance with Relevant Laws and Regulations.

 

SDKs

We may embed third-party SDKs in our website, app, and WeChat mini program to ensure their stable operation and provide services to you. Please see the list below for more information about the SDKs that we rely on:

SDK NameSDK OperatorPurpose of Processing Personal InformationTypes of Personal Information ProcessedSDK Operator Privacy Policy
Oracle Responsys Mobile SDK 6.56.1OracleMarketing Communication & Personalization1) Device Information
2) Location Data
3) User Profile Information
4) Behavioral Data
5) Transactional Data
6) Usage Analytics
7) Push Notification Tokens

https://www.oracle.com/legal/privacy/

Singular Flutter SDK 1.2.1SingularCampaign Optimization,User engagement analysis, Performance Tracking & Reporting1) Device Information
2) App Installation Data
3) App Usage Data
4) Attribution Data
5) Location Data
6) Advertising IDs

https://www.singular.net/privacy-policy/

Google Maps flutter SDK 2.7.0Google Maps PlatformFor Location Services1) Device Information
2) Location Data
3) App Usage Analytics
4) Cookies & Third Party data

https://policies.google.com/privacy 

https://pub.dev/packages/google_maps_flutter/license

Firebase core SDK 2.1.1GoogleTo connect to multiple Firebase applications1) Device Information
2) Location Data
3) Profile Information - Membership ID

https://policies.google.com/privacy

Firebase Crashlytics SDK 3.0.4GoogleFor Crash Reports Analytics1) Device Information
2) Location Data
3) Profile Information - Membership ID

https://policies.google.com/privacy

Firebase Messaging SDK 4.7.9 2:16GoogleFor Push notification functionality1) Device Information
2) Location Data
3) Profile Information - Membership ID

https://policies.google.com/privacy

Firebase Analytics SDK 10.7.4GoogleTo process personal information for various purposes related to analytics and improving app performance1) Device Information
2) Location Data
3) Profile Information - Membership ID

https://policies.google.com/privacy

Firebase Instance Id SDK 1.0.0GoogleDevice Identification, analytics & push notification delivery1) Device Information
2) Location Data
3) Profile Information - Membership ID

https://policies.google.com/privacy

Flutter map SDK 6.1.0Flutter ||GoogleFor Location Services in China1) Device Information
2) Location Data
3) Analytics

https://policies.google.com/privacy

Facebook SDK 0.18.3FacebookTo Track Facebook events and user interaction1) Authentication and Account Management
2) Analytics and Advertising
3) App Usage Analytics

https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0

CookieYes Consent ManagementCookieYesConsent Collection, cookie management & User right management1) IP Address
2) Device information
3) Memebership ID
4) Consent Preferences
5) Google Analytics Data
6) Browser information

https://www.cookieyes.com/privacy-policy/

Google mapsGoogleTo provide mapping and location-based services1) Device Information
2) Location Data
3) App Usage Analytics
4) Cookies & Third Party data

https://policies.google.com/privacy 

https://pub.dev/packages/google_maps_flutter/license

Mapbox 2.8.2MapboxFor Location Services1) Location
2) Device information
3) Memebership ID
4) Data Usuage

https://www.mapbox.com/legal/privacy

Google Tag ManagerGoogleTo Analyze tags and tracking deployed onGHA Web and App1) Location data
2) Device & Browser information
3) Membership ID
4) USer ID
5) Conversion events
6) IP information

https://policies.google.com/privacy

YieldifyYieldifyDigital marketing and conversion optimization1) Location data
2) Device information
3) Membership ID
4) Behavioral Data
5) Cookies & Tracking

https://www.yieldify.com/website-privacy-policy/

Lytics Customer Data Platform (CDP)LyticsPersonalized and targeted marketing experiences1) Location data
2) Device information
3) Membership ID
4) Behavioral Data
5) Cookies & Tracking
6) GA4 data

https://www.lytics.com/privacy-policy/

Google Analytics 4GoogleTo Analyze user interactions with GHA Web and App1) Location data
2) Device & Browser information
3) Membership ID
4) USer ID
5) Conversion events
6) IP information

https://policies.google.com/privacy

 

Corporate Transactions

If we need to transfer your Personal Information due to a merger, division, dissolution, bankruptcy or any other reason, we will notify you of the organisational or personal name and contact information of the receiving party.

 

Foreign Governments

We do not share Personal Information with foreign governments except as Relevant Laws and Regulations permit. 

 

Other Transfers

Because unforeseen situations can occur, we may need to transfer Personal Information in other circumstances not described above. Where this occurs, we will obtain any consent required from you, as required by Relevant Laws and Regulations.

 

5. SECURITY

 

We will take reasonable steps to secure your Personal Information against Security Incidents in accordance with Relevant Laws and Regulations and as described in the Privacy Policy. If you have any concerns about the security of your Personal Information or believe that you have experienced a Security Incident, please get in touch with us using the information in the "HOW TO CONTACT US" section below.

 

6. YOUR RIGHTS

 

Under Relevant Laws and Regulations, you have the right to:

  • require GHA to explain its Personal Information Processing rules;
  • restrict or deny the Processing of your Personal Information;
  • request access to and make copies of your Personal Information;
  • require the transfer of your Personal Information to certain third parties;
  • correct your Personal Information if it is incomplete or inaccurate;
  • have your Personal Information deleted if:
    • the purpose of Processing has been achieved or cannot be achieved;
    • the Personal Information is no longer necessary to achieve the purpose of Processing;
    • the provision of goods or services cease;
    • the retention period expires; 
    • the Processing conducted by GHA violates Relevant Laws and Regulations or relevant agreements; and
    • required to by Relevant Laws and Regulations in any other circumstances.
  • withdraw consent, at any time, to any Personal Information Processing based on consent; 
  • demand an explanation of and refuse decisions made solely employing automated decision-making that have a material impact on your rights and interests; and
  • refuse or restrict business marketing or push-based information delivery conducted by means of automated decision-making.

Please note that if you decide to withdraw your consent, such withdrawal will not affect the validity of any Personal Information Processing already carried out before the withdrawal based on your consent.

If you would like to exercise the rights described above, please get in touch with us using the information in the "HOW TO CONTACT US" section below. We will deal with your requests to exercise your rights under applicable Chinese laws or administrative regulations promptly and within 15 working days.

Additionally, if you use our mobile application, you can also correct, complete or delete some of your Personal Information by clicking on Account/ Profile in the app.

 

7. HOW TO CONTACT US

 

If you have any questions about anything described in the Privacy Policy or this Addendum, or you wish to exercise your rights under Relevant Laws and Regulations, you may get in touch with us using any of the contact details listed below:

 

GHA Loyalty DMCC (Head Office)

Head office: 21st Floor, JBC5 Tower, Jumeirah Lake Towers, PO Box 487771

Dubai, United Arab Emirates

Phone: +971 4 4214287

Email: [email protected] (available in Chinese and English)

 

GHA Loyalty DMCC (Representative in China)

Email: [email protected] (available in Chinese and English)

 

Prof. Dr. Rolf Lauser

Data Protection Officer

Dr.-Gerhard- Hanke-Weg 31, 85221 Dachau, Germany

Email: [email protected]