Data Privacy and Security Policy Mainland China | The Peninsula Hotels

Main Content


Effective Date:  24 June 2019
Last updated:  1 April 2020

This Data Privacy and Security Policy (Mainland China) (Privacy Policy) sets out how The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (HSH Group, the Group, we or us) collects, stores and handles your Personal Data (as defined in section 1 below). The list of companies within the HSH Group is set out at 

This Privacy Policy is intended to ensure you can make informed decisions about supplying Personal Data relating to you when purchasing our products and using our services. For any comments or queries, please contact us as set out in section 6 “Contacting Us”.


You can find a Peninsula Hotel and/or restaurants or other goods and services operated and provided by the HSH Group from the following websites online:,,,,,,,,,and


This Privacy Policy applies to your Personal Data collected online through our operating websites and communication channels such as our WeChat official account, and also applies to your Personal Data collected by us offline. 

This Privacy Policy is based on the Cybersecurity Law of the People’s Republic of China and other applicable laws and regulations for the time when the Privacy Policy is released being in force (hereinafter collectively referred to as the “Related Laws”).

Please note that our websites and the provision of our products and services are not intended for children (under the age of 14) and minors (beyond the age of 14 but under the age of 18) and we do not knowingly solicit or collect Personal Data from children and minors. To ensure that the legal guardian of a child user can make an informed decision on providing the child’s Personal Data when enjoying our services, we release the Child Privacy Policy (Mainland China) to set out how we collect, store, use, transfer and disclose a Child’s Personal Data. If you are a guardian, please read carefully and ensure that you fully understand and choose whether to agree to the Child Privacy Policy (Mainland China).

This Privacy Policy contains general and technical details about the steps we take to respect your privacy concerns. By submitting your Personal Data to us, you agree to the collection and processing set out in this Privacy Policy. If there are any additional uses of your Personal Data that will become relevant, then we will provide you with the necessary information and consult you on such additional uses in accordance with the Related Laws. 











1. How we collect and use Personal Data


Personal Data refers to all kinds of information recorded in electronic or other forms, which can be used independently or in combination with other information, to identify your personal identity, including but not limited to your name, data of birth, identity card number, biometric information, email, address and mobile number.. We may collect and process your Personal Data for the following purpose.

1.1 Hotel related services

(a) To register “My Peninsula” account ► When you make a hotel room reservation online, you can enrol for a My Peninsula account by providing us with your name, telephone number, email address and setting a password for the account; 

(b) To administer your hotel room reservation ► you can process your reservation requests via our website, online booking engine, our Global Customer Service Centre (GCSC) or our third party service providers’ website. You will provide us with your basic information, including your title, name, email address, telephone number, country/city of residence, preferences or requirements relating to the room, dietary, spa treatment and internet access for processing the reservation; 

(c) To provide you with services ► to provide and charge for hotel related services, including but not limited to accommodation, food and beverage and spa treatment, and to facilitate any special requests or assistance that you have asked for, we will collect your Personal Data including, among others, 

(i) Check-in: as required by local laws, you are required to fill in the guest registration card when checking-in and provide us with your name, title, nationality, passport number, identity card or household registration book, and where relevant, the type of entry visa, room preference and other request. You may also provide us with information including your date of birth, address, payment method (credit card number and expiration date), arrival time, departure time, room type, number of guests and deposit;

(ii) Spa treatment services: to enable us to provide you with spa treatment services, you are required to fill in a consultation form with your name and may also give us your health related information;

(iii) Food and beverage services: to provide you with better food and beverage services, you may fill in our food and beverage questionnaire which requires you to provide information including your name, telephone number, date of birth and email address;

(iv) Transportation services: to provide with you punctual transportation services, you may provide us with your flight number, train number, arrival and departure date and time, requests of airport transport service, frequent flyer information and your travel partner information.

We collect your itemised spending to properly assemble your folio during your stay at our hotel, which includes your room rate and other expenses billed to your room;

(d) To complete your purchase ► we may collect your name, telephone number, email address, residential and/or delivery addresses to deliver your orders when you purchase a Peninsula gift certificate or merchandise;

(e) To process your payment ► we may also collect your credit card information, including cardholder name, credit card type, card number and expiration date to process your payment;

(f) To contact with you ► we may send a confirmation of your booking via email, SMS or other means and in the case of room reservations, a pre-arrival message summarising your confirmation details and preferences and other information about the hotel, the surrounding area and the weather; and

(g) To customise our services and products to you ► to assure your future comfort and attention to your individual needs, we collect and store specific information about you, such as your food and beverage preferences and other special requests. For example, if you are a repeat guest at our hotels or restaurants or have filled out our food and beverage questionnaire, we may store your Personal Data in our system to serve you better upon your return.


1.2 Residences and commercial leasing, operation of residential clubs and food and beverage outlets

(a) To provide you with services ► to complete transaction and provide you with service, we may collect information such as identity card and passport details, tenancy particulars, employment particulars and club membership particulars.

1.3 Others

(a) Customer services ► if you contact us such as when you make enquiries, we may keep a record of that correspondence, including your telephone number or email address;

(b) To follow our WeChat official account ► when you follow our WeChat official account and use our services provided, we may collect your WeChat nickname, profile picture, basic information and your visiting and purchase record in our official account;

(c) For survey and research purpose to improve our services and products  ► to facilitate the research of new services and products, as well as improve our existing services and products, we may also ask you to complete surveys that we use for research purpose. In such circumstances, we shall collect the information provided in the completed survey;

(d) To provide marketing materials to you ► to provide you with updates, offers, and subscriptions where you have chosen to receive these, or connected with us via social media platforms, such as WeChat. With your consent, we shall send you information about The Peninsula Hotels, the Peak Tram, and restaurants and residential clubs operated by our group companies, including news, offers and promotions about our hotels and arcades, food and beverage, spa treatments, merchandise, branded residences, touristic services and special events by us or our arcade partners by different channels of communications, such as by post, email, telephone or SMS. You may also see these offers, promotions and information on social media platforms through which you have connected with us. Please note that this is subject to the terms and conditions of use of the relevant social media platform. It is however our intention to only send you communications that you want to receive. When you opt-in to receiving promotional material either on a guest registration card or when you enrol in My Peninsula, or patronise our restaurants or sign up on our websites and provide your  details to us specifically and expressly in order to receive marketing communications specified above, we will periodically contact you via your preferred channel(s). We typically use third party email service providers to send emails. These service providers are contractually prohibited from using your email address for any purpose other than to send emails related to the HSH Group operations and any organised special events. Personal Data will not be shared with third parties for their own marketing purposes. We provide you with the ability to unsubscribe from all marketing communications. Every time you receive an email, you will be provided with the choice to opt-out of future emails by following the instructions provided in the email. You may also opt-out of receiving promotional materials by updating your My Peninsula account, or contacting us as set out in section 6 below; 

(e) For analytics and profiling to tailor our marketing to you ► in connection with our marketing activities, we analyse information that we collect about customers to determine what offers are most likely to be of interest to different categories of customers in different circumstances and at different times. To do this for hotel-related services, we combine Personal Data that we have collected about a customer from a Peninsula Hotel with Personal Data that we have collected from the same customer from another Peninsula Hotel. Such Personal Data include customer behavioural information such as transaction history, spending pattern, preferences, service requests and interactions with us. From time to time, we will assess the Personal Data that we hold about you. We may use this method to avoid sending you offers that are inappropriate or unlikely to be of interest to you. You have the right to opt-out of such analysis of your Personal Data at any time. You can exercise this right by contacting us as set out in section 6 below;

(f) To comply with our legal obligations and defend our legal rights► to comply with our legal obligations such as financial reporting requirements imposed by our auditors and government authorities, to safeguard our legal rights including, without limitation, in relation to the defence of any claims, to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world where are compelled to do so;

(g) To handle incidents and process any claims we receive ► to handle any accidents and incidents such as liaising with emergency services, and to handle any claims made by customers such as personal injury claims, please note that this may also require the processing of your health/medical information

(h) To ensure our website function correctly ► to ensure that content from our website is presented to you correctly and effectively; and

(i) In connection with any restructuring of our business ► to analyse, or enable the analysis of, any proposed sale or restructuring of our business.


1.4 We do not collect Personal Data when you apply for a Peninsula/American Express credit card. If you apply for a Peninsula/American Express credit card, you will be required to provide certain personal information as part of the credit card application process. We do not own any of the personal information supplied to the American Express group of companies in connection with the Peninsula/American Express credit card application process. You can refer to American Express’ privacy statement posted on their website to understand how the information you supply will be used. American Express is the issuer of the credit card, and all terms and conditions of being a cardholder are dictated by American Express.

1.5 There are several ways by which we may collect your Personal Data from you: (i) we may collect your Personal Data from you directly by engaging with you (e.g. when you make a direct booking on our website); (ii) we may also collect Personal Data from third parties including agents and online service providers that make hotel, spa or restaurant reservations on your behalf, facilitate online payments or gift purchases or that are otherwise involved in the reservations process or delivering our services to you; and (iii) we may also collect Personal Data from you through your activity on social media platforms that link to us such as Facebook fan pages or WeChat Official Account, or when you share content, photographs or follow us. Please note that any social media platform will also have their own privacy policies and processes to govern the processing of your Personal Data.

1.6 If you provide us with Personal Data about other individuals (e.g. family members or travel companions), regardless of whether you are travelling together, you must inform such individuals that you have provided us with their details and let them know where they can find a copy of this Privacy Policy. You must also undertake that you have obtained the consent of other individuals prior to providing us with their Personal Data for processing. 

1.7 “Sensitive Personal Data” are a subset of Personal Data, which may result in bodily injury,  property damage, reputation damage, deterioration of physical and mental health, or discriminatory treatment if such data were to be disclosed or misused for illegal reasons. Sensitive Personal Data may include your identity card number, biometric data, bank account number, communication record and content, financial information, credit information, tracking activities, accommodation information, health information, transaction information, Personal Data of children under the age of 14, etc. We will process such Sensitive Personal Data, where necessary, only if you have given us explicit consent for the collection, processing and disclosure of the Sensitive Personal Data as set out above.

1.8 In relation to “Special Categories of Personal Data” (which is defined as Personal Data relating to your health, political opinions, religious beliefs, ethnicity and race, sex life, trade union membership and in some cases, criminal activity), we do not, as a general rule, process such Personal Data. We may however process health or medical information in order to handle medical incidents and/or claims as per section 1.3(g) above. Where we process Special Categories of Personal Data to handle medical incidents, we do so in order to protect the vital interests of you or another person. Where we process Special Categories of Personal Data to handle claims, we do so on the basis of establishing, exercising or defending legal claims or whenever courts are acting in their judicial capacity. In addition to this, we may process Special Categories of Personal Data in limited circumstances where you have provided such Special Categories of Personal Data (e.g. allergies, disabilities, dietary requirements), so that we can provide our services (e.g. spa treatments and meals) safely to you.

1.9 Where we process Special Categories of Personal Data mentioned in section 1.8 above, we will only do so where you have given us explicit consent to do so. Where you are providing Special Categories of Personal Data about a travel partner, you agree that you have procured their consent to our collection and processing of their Special Categories of Personal Data.

2. How we use cookies and similar technologies

2.1 Our websites use cookies and similar technologies to distinguish you from other users of the relevant website. This helps us provide you with a good experience when you browse our websites. We will keep the user data collected through cookies and other tracking technologies, including but not limited to your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access. For detailed information on the cookies we use and the purposes for which we use them, please see our Cookies Policy.

2.2 Do-not-track (DNT): Because there is not yet a consensus on how companies should respond to web browser-based DNT mechanisms, we do not respond to web browser-based DNT signals at this time.

3. How we share Personal Data

3.1 We may share your Personal Data in the following ways.

(a) Third party service providers who process Personal Data on our behalf to help us undertake the activities described in section 1 ► We may permit selected third parties such as service providers, agents, contractors, entities which may be the hotel owner, and other HSH Group companies to use your Personal Data for the purposes set out in section 1, including mail houses and email service providers that we engage to send and disseminate promotional materials for the HSH Group, data centre providers that host our servers and third party agents that process mailing and purchases of gift cards on our behalf. These parties are contractually prohibited from using Personal Data for any purpose other than for the purpose specified in their respective contracts, and will be subject to obligations to process Personal Data in compliance with the appropriate safeguards. We do not permit the sale of Personal Data to entities outside of the HSH Group for any use. For online payment processing, we work with PCI-DSS compliant payment processing gateway providers;

(b) Law enforcement agencies, government authorities, regulators and the court in order to comply with our legal obligations or to handle incidents/claims ► We may disclose your Personal Data when required by relevant laws or by court order, or as requested by other government or law enforcement authorities to assist with proceedings or investigations. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of an actual or suspected crime. This also applies when we have reason to believe that disclosing the Personal Data is necessary to obtain legal advice, to identify, investigate, protect, contact, or bring legal action against someone who may be causing interference with our guests, visitors, associates, rights or properties, or to others, whether intentionally or otherwise, or when anyone else could be harmed by such activities; and

(c) Third parties who require such data in connection with a change in the structure of our business ► In the event that we (or a part thereof) are (i) subject to negotiations for the sale of our business or (ii) sold to a third party or (iii) undergo a reorganisation, any of your Personal Data which we hold may be transferred to that re-organised entity or third party and used for the same purposes as set out in this Privacy Policy, or for the purpose of analysing any proposed sale or re-organisation. We will ensure that no more of your Personal Data is transferred than is necessary. 

3.2 This Privacy Policy does not apply to sharing of personal information by third party providers (e.g. airlines, online travel agents, car rental companies, table booking websites) who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable the third party provider’s privacy policy before submitting your personal information.

4. How we transmit, protect and store Personal Data

4.1 Security of communications ► It is important to note that no security system or system of transmitting information over the Internet can be guaranteed to be one hundred percent secure. There is a risk inherent in the submission of information online and the use of email and facsimile. Please be aware of this when requesting information or sending forms to us online or by email or facsimile, for example, from section 6 “Contacting Us”. We recommend that you do not include any sensitive information including credit card details when submitting information online, using email, facsimile or when using any public computers/public WIFI. 

4.2 Security controls ► We maintain commercially reasonable administrative, technical and physical safeguards designed to protect the Personal Data we maintain against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee complete security of personal information. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of your information. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Personal Data hosted on databases run by third parties, and we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions. 

4.3 Data Storage ► We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind firewalls and takes several measures such as authentication, access control, integrity protection, encryption and anti-virus tool to protect Personal Data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, our hotels or other business operations may put in place additional measures that vary depending on the applicable legal requirements.

4.4 Personal Data transmission across international borders ► As a global company, we endeavour to provide you with the same outstanding service in Hong Kong, as you would find in Paris, New York or Tokyo. To achieve this goal, we have established a global network comprised of properties, offices, global customer service centres, data centres, trusted service providers, and trained associates around the globe. The nature of our business and our operations require us to transfer your Personal Data to other group companies, properties, centres of operations, data centres, or service providers that may be located in countries outside of your own* for the purposes mentioned in this Privacy Policy. Although the data protection and other laws of these various countries may not be as comprehensive as those in your own country, the HSH Group will take appropriate measures, including contractual clauses, to secure the transfer of your Personal Data to recipients (which may be internal or external to the HSH group) located in a country with a level of protection different from the one existing in the country in which your Personal Data is collected.

*Currently, guest data may be stored and transferred to our headquarters in Hong Kong as well as other countries where we are present, including Mainland China, Japan, Vietnam, United Kingdom, United States of America, Thailand, the Philippines and France. We also use third party service providers which are located in countries such as United States of America and Australia to process mailing, certain online bookings and purchases of gift cards.

4.5 Your Personal Data will be stored for the period of time required or permitted by law in the jurisdiction of the operation holding the information (e.g. certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). So if information is used for two or more purposes we will retain it until the purpose with the latest period expires, but we will stop using it for the purpose with a shorter period once that period expires.

4.6 Our retention periods are based on business needs and your Personal Data will be either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed when we receive your request of removal or your Personal Data is no longer needed. 

5. Your rights

5.1 Opt-out of marketing: You have the right to ask us not to process your Personal Data for marketing purposes at any time. You can exercise your right by checking certain boxes online or on the data collection forms, talking to us in person, or by contacting us as set out in section 6 below.

5.2 Subject to various exceptions and data protection laws in your country, you may have the following rights. We will process your request within a reasonable period in accordance with the applicable data protection laws.

(a) Access: you can ask us to provide you with further details on the use we make of your Personal Data and a copy of the Personal Data we hold about you;

(b) Correction: you can ask us to correct any inaccuracies in the Personal Data we hold about you;

(c) Complaint: if you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you may have the right to complain to the data protection authority in your country; 

(d) Erasure: you can ask us to delete your Personal Data if we no longer have a lawful ground for use; 

(e) Withdrawal of consent: where processing is based on consent (e.g. marketing, or certain uses of Special Categories of Personal Data), you can withdraw your consent to processing and we will stop that particular processing; 

(f) Object to processing: you have the right to object to other types of processing (e.g. analytics and profiling activities carried out in relation to your Personal Data), unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; 

(g) Restriction: you can restrict how we use your Personal Data pending any investigation, for example whilst we are verifying the accuracy of your Personal Data or where we are verifying the grounds that we use as the basis of holding your Personal Data;

(h) Portability: where technically feasible, you have the right to ask us to transmit the Personal Data that you have provided to us to a third party in a structured, commonly used and machine readable form; and

(i) Removal of account: you can at any time request for removal of your registered account. Once we receive your request, we will erase your My Peninsula account as soon as practicable. 

5.3 Updating Information: we will use reasonable endeavours to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by updating your details in your My Peninsula account or by contacting us as set out in section 6 below.

5.4 Notifications in the event of breach: in the unlikely event of a data breach, we will follow any laws and regulations which would require us to notify you of the disclosure of private information.

5.5 We will process all requests within 15 working days in accordance with the applicable data protection laws.

6. Contacting Us

6.1 For any questions about this Privacy Policy or our processing practices, please contact us through the following manner, and we would revert to you within 15 working days after verifying your identity:

Data Privacy Team

The Hongkong and Shanghai Hotels, Limited 
8/F St George’s Building 
2 Ice House Street 
Hong Kong

Fax: +852 2147 3720


7. Changes to the Privacy Policy

7.1 In the future, we may need to make changes to this Privacy Policy. All changes will be included in the latest Privacy Policy published on the websites as set out at the beginning hereof, so that you will always understand our current practices with respect to the information we gather, how we might use that information and disclosures of that information to third parties. You can tell when this Privacy Policy was last updated by looking at the date at the beginning of the Privacy Policy. Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. We will seek your express consent to any changes to how we use or disclose your Personal Data if required by law but otherwise use of this website or our services following such changes constitutes your acceptance of the Privacy Policy then in effect.

7.2 We will provide a more conspicuous notification whenever there is a substantial change to this Privacy Policy. For example, a pop-up window will appear when you access our website, or we will send you an email directly. Substantial changes include but not limited to the substantial alterations on the grounds of processing your Personal Data, the types of Personal Data we collect, the ways we use your Personal Data, as well as the substantial alterations in the rights you possess in respect of your Personal Data and how you can exercise such rights.

8. Other Sites

8.1 The website may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites. 

Data Privacy Team

If after reviewing this privacy statement you have any privacy questions or concerns or would like to request access to, correction or object to the processing of your data for legitimate purposes, please contact our Data Privacy Team.


Data Privacy Team
The Hongkong and Shanghai Hotels, Limited
8/F, St George's Building
2 Ice House Street
Central, Hong Kong


+852 2147 3720