Privacy Policy at Corus Hotels
Privacy Policy
Corus Hotels GDPR Statement
The European Commission’s directive for General Data Protection Rules (“GDPR”) comes into effect 25 May 2018. Corus Hotels are committed to putting your customers first and implementing GDPR compliant data management and protection practices. Corus Hotels are committed to ensure that all our suppliers and service providers affirm compliance with GDPR which requires anyone processing, holding, or making decisions on the purpose and use of any personal data of EU citizens to:
- Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Demonstrate processes for regularly testing, assessing, and evaluating the effectiveness of these measures for ensuring the security of the processing.
- We have created a GDPR Portal for guests, clients and patrons to find more information on the specific requirements of GDPR.
Corus Hotels GDPR Governance Statement
With effect from 25 May 2018
Corus Hotels (“the Hotels”; “we”; “us”; “our”) takes a Customer’s (“you”; “your”; “he/she”) personal data seriously and are committed to fully comply with the European General Data Protection Rules.
We will distinguish between Personal Data and Corporate Data
Corus Hotels makes a distinction between Personal Data and Commercial and Corporate Data i.e. between the corporate and commercial data of individuals and their corporate and commercial emails and that of personal data and emails. Corporate and commercial data, including individual corporate and commercial emails, are retained on the basis of legitimate interest to facilitate the ordinary of our business and commercial relationships and transactions and business needs in the course of business dealings.
Data Security is of the highest priority for us and we shall manage all Personal Data in full compliance with the Hotels GDPR governance statement set out below.
We may require you to submit personally identifiable information in order for you to make use of our services. You confirm that any information you enter will be true. We will only request and collect information which is necessary or reasonable in order to provide you with your requested services and to improve the services that we provide. It will not be a requirement to provide any additional information which is not needed to provide the services.
- HOW WE HANDLE PERSONAL DATA: Our authorised staff have been trained to handle all personal data in a GDPR-compliant appropriate manner. Please click here for our Personal Data Handling Procedure.
- SAFEGUARDING EXISTING PERSONAL EMAILS: Only the Hotel’s authorised Front Desk Staff, Meetings & Event Personnel, Supervisors and Managers have access to personal emails on our database. They have been trained how to securely handle personal data meant solely for business purposes only.
- SECURITY CLAUSE: We will continuously – as and when necessary and prudent – update our Security Clause.
- REGISTRATION CARD: From 1 April 2018 all our Registration Cards will have an ‘OPT-IN’ Box. If you do not tick to Opt-In we will not retain any of your personal data after your period of stay at any of our hotels comes to an end.
- UNSUBSCRIBE OPTION: All communication is clearly marked with an ability to ‘unsubscribe’ at any time.
- EXPRESS CONSENT: If you do not ‘OPT-IN’ or you chose to ‘unsubscribe’ we will not send you any marketing promotion or randomly contact you.
- THIRD PARTY MARKETING LIST: We will only purchase marketing lists from Third Party suppliers who expressly state themselves to be GDPR complaint.
- OPT-IN REVIEW: On the anniversary of every second September in every even year we will contact all our customers who had opted-in to give them an ADDITIONAL opportunity to decide whether they wish to remain on our database and continue receiving our email marketing offers and promotions.
- ADDITIONAL MEASURE: We will provide a clear ‘Continue Opting-In’ check-box for this purpose. If the customer does not tick this Check-Box, we will remove the customer’s email from our database as an ADDITIONAL MEASURE to the ‘OPT-OUT’ or ‘unsubscribe’ at any time on our clear and visible tick-box that will be on our GDPR Portal.
- COOKIES: We use cookies. Our Cookie Policy will automatically appear when you visit our webpage. To continue using our webpage, our cookie will need to be accepted and consented to. You are in control of your cookies. If you wish to disable your cookies, please click here.
- WI-FI: All our Hotels provide third-party supplier Wi-Fi connectivity. We give all our visitors the option to expressly ‘OPT-IN’ and consent to future communications. We will not contact you with any offers or promotions if you chose not to opt-in.
- CCTV: We use CCTV in our hotels for the purposes of safety, crime prevention and detection and safeguarding in all our public areas including in hotels where we have swimming pools and may be frequented by children. Automated Number Plate Recognition (ANPR) cameras are operated for automated vehicle access. Identified images are processed as personal data. We also collect, record and/or store ad-hoc CCTV Wedding images, details for promotions at Wedding Fayres and Public Events. This CCTV Data is kept in secure environments and access is restricted to the Hotels’ authorised data team and qualified security personnel. We only store the information collected by CCTV for a period of 3 months which allows us to assist regulatory bodies and law enforcement agencies. After 3 months we destroy all CCTV images in a controlled and verified manner. Our CCTV Policy, Authorised Data Team who have limited authorised access to this data, our Secure Environment Procedure and CCTV Data Destruction Policy and Procedures can be found on our GDPR Portal.
- THIRD PARTY SUPPLIERS: All relevant Third-Party Data Suppliers’ Data Policies have been sources and retained for reference are stored safely on a shared drive. Only the authorised Hotels data team have access to this data.
- PARTNERS & SUPPLIERS DATA POLICY: We will ensure that all our Partners and Suppliers are GDPR compliant in their declaratory statements. We cannot be responsible as to whether they are in fact compliant. The Data Policy links of our Partners and Suppliers can be found on our GDPR Portal, namely they are Salesforce; Rezlynx, Guestline, Synelink, Revinate, RGA, Moneypennies, Amco FM and any new supplier who deals with personal data.
- DESTRUCTION OF PHYSICAL DATA: Destruction of physical data is carried out accordingly by authorised third-party data shredding companies whereupon a certificate of destruction is issued when the data is destroyed. We keep this certificate in file for 1 year after which it is destroyed.
- TRAINING: From April 2018, and as part of an on-going process with new employees, we will conduct groupwide training and induction for staff and personnel working within our Hotels with access to personnel data namely staff at RECEPTION and within SALES and MARKETING, ACCOUNTS, HUMAN RESOURCES and MANAGEMENT.
- LEGAL REQUIREMENT: We will only share your personal data if legally required to do so, or to assist in any recovery proceedings or as part of a complaints procedure as and when prudently necessary.
- OUR PLEDGE: Other than any legal requirement to do so, or to assist in any recovery proceedings or as part of a complaints procedure, we DO NOT share your personal data with any Third Parties
- YOUR RIGHTS: You have the right to request to see the personal information that we hold on you, as well as request that inaccurate information be corrected. You may ‘OPT-OUT’ of any communication you have previously consented to at any time on our webpage page or Opt-Out link. Any request to update incorrect information should be directed to the Hotels’ Data Protection Officer DPO@corushotels.com or alternatively by post to Data Protection Officer, Corus Hotels Ltd, 1 Auckland Park, Milton Keynes, MK1 1BU. This right excludes all corporate or commercial data. We will not charge you for any personal request made by you and only you unless the request is unfounded or excessive. We may require proof of your valid identity before we supply the information to you.
- DATA BREACH: In the event of a data breach Corus Hotels’ Data Protection Officer shall promptly within 48 business hours or immediately after a weekend or a business day after a bank holiday notify the Information Commissioner’s Office and the affected party of any such breach of personal data:
- STATEMENT UPDATES: The Hotels reserve the right to update and amend this GDPR DATA GOVERNANCE STATEMENT. All such developments will be deemed notified to you by updating this Data Governance Statement.
Corus Hotels General Data Protection Rules Compliance Framework Guide
GDPR Portal:
- GDPR Governance Statement
- Data Privacy Policy
- Legal Basis for Processing Personal Data
- Data Processing & Retention of Personal Data
- Guests Access Rights
Essential Q&A on Corus Hotels’ GDPR Compliance:
- GDPR Compliant Standard Operating Procedure
- GDPR Human Resources
- GDPR Front of House
- GDPR Housekeeping
- GDPR Food & Beverage
- GDPR Guest Relation, Reservation, Meeting & Events, Sales Office
- GDPR Accounts / Payroll
- GDPR Marketing
- GDPR Leisure Clubs
- The Regency Hotel Solihull Leisure Club
- Burnham Beeches Hotel Leisure Club
- GDPR CCTV
Supplier GDPR Policies
Corus Hotel GDPR Training Records
Corus Hotels – Legal Basis for Processing Personal Data
Corporate and Commercial Individual Data
Corus Hotels (“we”, “us”, “our”) makes a distinction between corporate and commercial data of individuals and their corporate and commercial emails and that of personal data and emails. Corporate and commercial data, including individual corporate and commercial emails, are retained on the basis of legitimate interest to facilitate the ordinary of our business and commercial relationships and transactions and business needs in the course of business dealings. Individuals with corporate or commercial emails may at any time write to the Data Processing Officer at DPO@corushotels.com to remove retention of their data. This can result in Corus Hotels no longer being able to communicate or transact with any such individual and may request a company or body corporate dealing with us to nominate another person expressly willing to receive communication and their corporate and commercial individual data to be retained in the course of business dealings subject always to the person’s individual rights as set out herein. It shall be the responsibility of each company or body corporate to establish the express consent of persons acting on their behalf.
Corus Hotels have set out herein the Legal Basis for Processing Personal Data Customer data. Circumstances where legitimate business interest might apply has been set out below for your reference.
The Legal Basis for Corus Hotels Ltd (collectively referred to as “Hotel”) for processing and/or retaining Personal Data subject to the Data Protection, 1998 and the European General Data Protection Rules (“GDPR”) are:
- the hotel shall require from all parties who handles its personal data a statement that such data will be process or retained outside the European Union and that the Hotel’s express written consent must be sought for any such processing on the basis of express consent by the Client or on the basis of a clearly evidenced legitimate interest usually necessary to enable the Hotel in the performance of its contractual obligations or to comply with any legal obligations enforceable in the Courts of England and Wales;
- the Client in booking for stay and/or use of the hotel’s facilities consent to the processing of his or her personal data to enable the Hotel to fulfil the Client’s needs and requirements during the Clients stay at the Hotel and/or use of the Hotel’s facilities;
- the Employee’s personal data shall be retained on the basis of legitimate interest for a period on 7 years after the Employee leaves the employment of Corus Hotels Ltd. The Client may refer to the Hotel’s Data Privacy Policy weblink on (Please see: Data Processing & Retention of Personal Data on our GDPR Portal)
- the Hotel needs to receive, retain and process relevant personal details insofar as to enable it to perform its contractual obligation or take necessary steps upon the request of a Client or an Employee prior to entering into a contract;
- the Hotel as the Data Controller will process and/or retain data insofar as it is necessary for to enable the Hotel to comply with its legal obligations including but not limited to assist the Government’s security agencies as part of any investigative query that may be made and shall retain such data under such circumstances until advised by the said security agencies that such data is no longer required whereupon it shall be destroyed within 7 days of any such final notice;
- the Hotel such process and retain personal data insofar as it is necessary, subject to particular circumstances, to protect the vital interests of the Client or Employee or any other natural person, for example the need to contact the next of kin or upon a dispute raised by a Client or Employee;
- the Client or the Employee consents that anonymous personal data relating to the Client or the Employee (all personal identification removed) may be used – when the Hotel is required to act in the public interest or in the exercise of official authority vested in the Hotel as the Data Controller;
- the Hotel retention of personal data of the Client or the Employee will be insofar as it is necessary for of legitimate interests pursued by the Hotel’s Data Controller or a third party (normal Statutory agencies) which the Client may seek to withdraw such consent at any time and subject to the foregoing subclauses parts (a) to (e) the Hotel will comply with the Client’s request. The Client’s right can be found at The Guest’s Rights with respect to Personal Data under GDPR on our GDPR Portal. All Employee personal data legally required in the course of the Employee’s employment with the Hotel shall be retained until 7 years after the Employee leaves the employment of the Hotel whereupon it shall be destroyed if there is no on-going issues or dispute between the Employee and the Hotel;
- The Hotel will not retain any data in relation to any child or children and shall in circumstances involving such minors only deal with their parents or guardians as the case may be.
Legitimate Business interest
- Direct marketing
The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ This may be where consent is not viable or not preferred, where there is a business need or purpose and there is a balance of business interests between our and person(s) receiving such direct marketing.
During the period a person responds to and communicates with us on our marketing approach we will retain such data securely at the relevant department. Reference may be made to our Data Processing & Retention of Personal Data Policy. Where such correspondence on the initial approach cease or at any time during such communication any person can easily click on the ‘unsubscribe’ link or make a request by contacting the Data Processing Office at DPO@corushotels.com or our postal address which can be found at Data Privacy Policy – Corus Hotels.
- Relevant and appropriate relationship
This may be a direct appropriate relationship, such as where the individual is a client.
- Reasonable expectations
As previously discussed, if a controller understands individuals have a reasonable expectation their data will be processed, this may help to make a case for legitimate interests.
Data Processing & Retention of Personal Data Policy
Corus Hotels Ltd will retain your personal data for the period it is validly necessary related to the subject matter of any enquiry, booking, period of stay, transaction, employment period and marketing communication on the basis of business needs and/or a legitimate interest:
We will only keep data which is relevant to your transaction and/or relationship with us as follows:
- For all Clients of the Hotel once the Client is no longer a guest at the hotel and there are no outstanding matters between the Hotel and the Client, the Hotel will delete all personal data of the Client further to existing legal requirement for two (2) years after the Client’s last use or stay at the Hotel and in any event after that two-year period within seven (7) days of the settlement of any outstanding balance or issues, whichever is the later;
- For all Employees we will retain personal data for during the period of the employee’s employment and for seven (7) years after the employee leaves the employment of Corus Hotels Ltd and thereafter destroy the same by handing all related files to a certified Data shredding company and remove all related files from our database;
- Personal data of all Marketing Communications expressly consented to by the Client will be deleted upon the Client opting-out or unsubscribing from further marketing communications. The Client will be provided clear boxes to ‘Opt-Out’ or an ‘unsubscribe’ to from any further communication at any time and will not receive any such communication material thereafter. The unsubscribe link will be at the end of an email.
Guests Access Rights
Booking or Transacting with the Hotel
As a matter of legitimate business interest, when you enquire, make a reservation and/or communicate with the hotel as an intended guest, you consent for the Hotel to receive, process and retain your data for the intended purpose or until the period of your stay is complete. You may click on our Data Privacy Policy as to the purpose we collect this data and our Data Processing & Retention of Personal Data Policy as to how long we will retain your personal data.
Your Rights
As a guest from a EU Member state your rights as a guest are as follows:
- The right of access to your data upon your written request to our Data Protection officer at the contact details below. You may follow the same procedure for all your rights below;
- The right to rectification by following the same;
- The right to erase;
- The right to restrict processing;
- The right to transfer your data to another party with your express written instruction;
- The right to object;
- The right not to be included in automated marketing initiatives or profiling.
The Information Commissioners Officer’s guide on how to make a personal request for information can be found by clicking on this link: https://ico.org.uk/for-the-public/personal-information/
Guest Access Requests
We will ordinarily respond to you by email within 30 days of your making any request with respect to your rights stated herein above. For a Postal Response the effective response date will be the date of posting and not receipt. We will not charge you for any personal request made by you and only you unless the request is unfounded or excessive. In the event we decline your request primarily but not exclusively based on conflicting data protection or privity of contract issues, we will notify you – primarily by way of an email – our reasons for declining your request.
If you are not satisfied with our reasons for declining your request, you may write your complaint to the following parties:
- The Information Commissioner
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Email: casework@ico.org.uk or follow these links: https://ico.org.uk/for-the-public/raising-concerns/
and/or
- Our Data Protection Officer:
The Data Protection Officer,
Corus Hotels Ltd
Corus House
1 Auckland Park
Milton Keynes
MK1 1BU
Email: dpo@corushotels.com
Lawful Basis for Processing Guest Data
You can click on this link to follow our Legal Basis for Processing Personal Data and our Data Processing & Retention of Personal Data on our GDPR Portal
Essential Q&A on Corus Hotels’ GDPR Compliance
- Do you use this data for any other purpose than the fulfilment of our contract with you; namely for anything other than the delivery of the service accommodation to our customer?
Corus Hotels does not use personal data for any other purpose other than for the legitimate purpose and interest in delivering the service of accommodation to our Customers.
- Do you share this data with any other party and if so who and why?
Corus Hotels does not actively share Customer Data. However, Guestline as our PMS provider, has access to this data and would be deemed as a Data Processor under the GDPR Rules. We have obtained a GDRP Compliance statement from Guestline.
Corus only shares Employee data on the basis of business needs and requirement and legitimate interest.
- What period do you retain the data for? (i.e. what period after fulfilment of the contract do you retain the data for prior to disposing of it?)
A maximum of 2 years for Customers and 7 years for Employees as set out hereunder:
- For all Clients of the Hotel once the Client is no longer a guest at the hotel and there are no outstanding matters between the Hotel and the Client, the Hotel will delete all personal data of the Client further to existing legal requirement for two (2) years after the Client’s last use or stay at the Hotel and in any event after that two-year period within seven (7) days of the settlement of any outstanding balance or issues, whichever is the later;
- For all Employees we will retain personal data for during the period of the employee’s employment and for seven (7) years after the employee leaves the employment of Corus Hotels Ltd and thereafter destroy the same by handing all related files to a certified Data shredding company and remove all related files from our database;
- Personal data of all Marketing Communications expressly consented to by the Client will be deleted upon the Client opting-out or unsubscribing from further marketing communications. The Client will be provided clear boxes to ‘Opt-Out’ or an ‘unsubscribe’ to from any further communication at any time and will not receive any such communication material thereafter. The unsubscribe link will be at the end of an email.
- Do you have a process in place that would allow you to respond effectively and timely to requests from us to ascertain the data that you are holding on one of our customers, to correct any errors in that data and following fulfilment of the contract to comply with an individual’s request to erase their data?
Yes – you may contact our Data Processing Officer at DPO@corushotels.com
We have established clear GDPR compliant Access Rights under our Data Privacy Policy:
You have a right to access the personal information that is held about you. Please refer to details of your right by click on this link Guest Access Rights on our GDPR Portal. To obtain a copy of the personal information Corus Hotels holds about you, please email us at DPO@corushotels.com enclosing your postal details and the details of your request.
Alternatively, you can write to us at the following address:
Data Protection Officer
Corus Hotels Ltd
Corus House
1 Auckland Park
Milton Keynes
MK1 1BU
- What steps have you taken to secure and protect the data? In particular from a breach or other cyber-attack.
We have entrusted our Data Security protection, including protection against cyber-attacks, to our contractor IDE Group Ltd. IDE Group control and monitor all Corus Head Office and Hotels internet traffic through a security gateway. Credit card data is encrypted on our credit card machines and online payments are only through our secure gateway providers namely Lloyds Bank plc, Global Blue Service Company Austria GmbH and Bank of China (UK) Limited and the latest SSL (Secure Sockets Layer) technology to make sure that the details you provide when placing an order are kept private and secure, making shopping on our website safe. Please refer to Payment Card Security in our Data Privacy Policy on our GDPR Portal.
- Where and how is the data stored?
- Physical Data: Is stored at the Front Desk. The data card is locked in a cabinet and is accessible by authorised personnel of Corus Hotels only. Authorised personnel must sign in and out every time the deal with a secure key.
- Electronic Data: Data on our PMS system is only accessible by a secure password
- Destruction of Physical Data: Pursuant to our GDPR Policy physical data which is secured in a locked cabinet with a security key is handed on or before the end of 2 years from the date such data come into being to an authorised and certified Data Shredding Company.
- Who can access the data and what controls are in place to prevent unauthorised access?
We have a GDPR Policy and Process in place as to who can access such data. As a hotel operator, the individuals who can access such data are Corus Hotels’ authorised personnel particularly the Front Desk who need to deal with such data on a business need an/or legitimate interest basis.
- What is your notification plan in the event of a data breach?
The Data Protection Officer at Corus Hotels Ltd shall promptly within 48 business hours or immediately after a weekend or a business day after a bank holiday notify the Information Commissioner’s Office and the affected party:
- of any data breach and the circumstances of such breach;
- the circumstances of such breach;
- the steps taken to remedy the breach and
- prevent similar recurrence