MINORS’ DATA PRIVACY AND SECURITY POLICY

Effective Date: 1 April 2020

Last Updated: 20 December 2022

The Hongkong and Shanghai Hotels, Limited and its group companies and affiliates (“HSH Group”, “we” or “us”) is committed to protecting our customers’ Personal Data and have published the Data Privacy and Security Policy

To ensure that the guardian (“Guardian”) of a minor user under the age of 18 (“Minor User” or “Minor”) can give informed consent on providing the Minor’s Personal Data (as defined in Section 1 below), we hereby provide this Minors’ Data Privacy and Security Policy (“Minors’ Privacy Policy”) to set out how we collect, store, use, transfer and disclose Minors’ Personal Data. If you are the Guardian of a Minor, please read carefully and ensure that you fully understand and choose whether to agree to this Minors’ Privacy Policy.

In general, we do not proactively collect or process a Minor’s Personal Data without the Guardian’s consent. However, due to technical limitations, we are not able to identify the age of users in some scenarios, especially when providing online services. In such cases, we consider that users have the complete and legitimate right to provide their Personal Data to us pursuant to applicable laws and that we are allowed to collect and process their Personal Data in accordance with the Data Privacy and Security Policy If we have collected a Minor’s Personal Data unwittingly without the Guardian’s consent, we will delete such information timely after being informed of this.

Instructions for Guardians: Providing us with your Minor’s Personal Data directly or via any third parties (including service providers and agents) will be deemed as you have acknowledged and consented to our collection, storage, use, transfer and disclosure of your Minor’s Personal Data in accordance with the Data Privacy and Security Policy, this Minors’ Privacy Policy and applicable laws. We only collect the Minor’s Personal Data for the purpose of providing you and the Minor with products or services. We will not use the collected Minor’s Personal Data for any marketing purposes nor share it with third parties for such purposes. If you do not agree with the content of the Data Privacy and Security Policy or this Minors’ Privacy Policy or the necessity of providing certain information for a service herein, your disagreement may result in that we cannot provide products or services properly, or our services cannot meet your expectation, or you and the Minor cannot enjoy our products, services or some of their functions properly. If you find that the Minor has provided us any Personal Data without your consent, please notify us to delete via the Contact Information under Section 5 “Contacting Us” in this Minors’ Privacy Policy.

Instructions for Minors: Please inform your parent or Guardian to read this Minors’ Privacy Policy and obtain his/her consent before providing any Personal Data (including name, gender, date of birth, ID number, address, telephone number, etc.) to us. DO NOT provide any Personal Data to us until you have obtained your Guardian’s consent.

This Minors’ Privacy Policy specifically focuses on general and technical details about the protection of Minor’s Personal Data, which special rules are formulated based on Data Privacy and Security Policy. In case of any inconsistency with the Data Privacy and Security Policy, this Minors’ Privacy Policy shall prevail. Matters not covered herein shall be subject to applicable provisions in Data Privacy and Security Policy.

Our website may contain links to other third-party websites. When visiting such third-party websites, please follow their own privacy policies. We do not undertake any responsibility or liability for their privacy policies or processing of Personal Data. Please carefully read these privacy policies before submitting any Personal Data (including Minor’s Personal Data) to such third-party websites.

1. How we collect and use Minors’ Personal Data

2. How we share Minors’ Personal Data

3. How we transmit, protect and store Minors’ Personal Data

4. Rights of Guardians and Minors

5. Contacting us

6. How we use Cookies and similar technologies

7. Changes to the Minors’ Privacy Policy

1. How we collect and use Minors’ Personal Data

Personal Data refers to all kinds of information recorded in electronic or other forms which related to identified or identifiable natural persons, including but not limited to name, date of birth, ID card number, biometric information, email address, residential address, telephone number, etc.

1.1 To the extent necessary to provide products or services to Minors, we may collect and process Minor’s Personal Data for the following purposes:

(a) To administer hotel room reservation: Users can submit reservation requests via our website, our Global Customer Service Centre (GCSC) or our third-party service providers’ website. If a Guardian makes a reservation request through the above ways, we will collect the Minor’s Personal Data including name, age, nationality, and gender through the Guardian. If the Guardian and/or Minor have special requirements or preferences for room type and setup, transportation, food and beverage and internet access, we will also collect relevant information based on such requests;

(b) To verify the guardianship between a Minor and his or her Guardian: When you provide a Minor’s Personal Data to us, or request to exercise relevant rights, we may collect your contact details and identity information (such as ID card information and household register information) to verify your guardianship over the Minor. We will protect rights and interests over the Personal Data of you and the Minor(s) under your custody by linking their Personal Data with your account;

(c) To provide hotel-related services: To provide a Minor with hotel-related services, including but not limited to accommodation, transportation, food and beverages and special activities for Minors, and to meet any special needs, where necessary, we may collect the Minor's Personal Data, including:

(i) Check-in: In accordance with the applicable laws, we may be mandated to collect Minors’ Personal Data including their identity information (such as passport, ID card, household register, etc.), and may collect Minor Users’ type of entry visa (if required) to compete the check-in. In addition, according to Minor Users’ age, we may send with them different greeting cards to collect their name, age, favourite number, colours, food and toys, in order to provide them with better services;

(ii) Transportation service: To provide safe and on-time transportation service to Minors and their families, we may collect the age, number and travel plan of the passengers (e.g., arrival and/or departure time, destination, etc.);

(iii) Food and beverages services: To provide better food and beverages service, we may ask Guardians to fill in our questionnaire, including the name, date of birth, telephone number, email address and food preferences of themselves and their family members (including minors). In addition, we will also collect information about food taboos and preferences of Minors to provide customised services in a safe manner;

(iv) Taking part in activities designed for Minors: We provide interesting activities for Minors, e.g., calligraphy class, chocolate-making class, drawing class and swimming class. Guardians may sign up those activities via our online or offline channel. To administer reservations and for organizing activities, with Guardians’ consent, we may collect the Minors’ Personal Data, including name, gender, age, address, contact information and other Personal Data related to the activities (such as photos and video footages of activities) that the Minors are about to participate. We will not use relevant photos or videos of activities for marketing activities without the Guardians’ prior consents. In general, Minors are not allowed to purchase, sign up, or participate in these activities by themselves without their Guardian’s consent and company.

(v) Handling of accidents, medical service demands, and claims received by us: To handle or assist the Guardian in handling any accidents (e.g., contacting with emergency services providers), medical service needs and any claims related to Minors (e.g., personal injury claims), we may collect, and process Minors’ health related or medical information when necessary and appropriate;

(d) To provide residence and restaurant services: To complete transactions and provide services at request of the Guardian, we may collect certain information from the users based on actual needs, which may include Minors’ Personal Data; and

(e) Other customised services and products: To ensure the customers’ seamless enjoyment of our services in the future, we may collect and store their specific requirements and preferences (including Minor Users) to provide customised services satisfying personalised needs upon their return.

1.2 From what channels we collect Minors’ Personal Data

(a) With the Guardian’s consent, we may collect a Minor’s Personal Data directly from the Guardian or through third-party agents or service providers that are engaged by the Guardian to purchase, book or sign up online or offline services provided by us as mentioned above on his or her behalf.

(b) Subject to the Data Privacy and Security Policy, this Minors’ Privacy Policy and applicable laws, we may collect Personal Data from public sources accessible to us and the followers of our social media accounts to provide, enhance and improve our products and services.

2. How we share Minors’ Personal Data

2.1 In order to provide our customers with continuous and personalised services, we may share Minors’ Personal Data within the Group. We may share Minors’ Personal Data with the following third parties only for the following purposes or with the Guardians’ consent.

(a) Affiliates: To provide a Minor with services and to ensure the consistency of service standard and business management, we may share the Minor’s Personal Data with the affiliates in the Group. We only share necessary Minors’ Personal Data when we are required to do so. Our affiliates have signed intra-group data sharing agreements and undertake to be governed by this Minors’ Privacy Policy when handling Personal Data. If an affiliate needs to change the handling purpose of Personal Data, your consent will be obtained again. You may find a list of our affiliates by clicking here;

(b) Third parties who process Minors’ Personal Data on our behalf to help us carry out the activities described in the Section 1: We may permit selected external parties (e.g., vendors, suppliers, agents, contractors) to process Minors’ Personal Data for the purposes set out in Section 1. We have signed agreements with these third parties to prohibit them from using the Minors’ Personal Data for purposes other than that specified in the respective agreements, and to request these third parties to adopt appropriate safeguards measures when processing Minors’ Personal Data.

(c) Law enforcement agencies, government authorities, regulators, and the court to comply with our legal obligations or to handle incidents / claims: We may disclose Minors’ Personal Data when required by relevant laws or by court order or requested by other governmental or law enforcement authorities to assist with proceedings or investigations. Where permitted, we will share such request to or notify the Guardians before responding unless doing so would prejudice the prevention or detection of an actual or suspected crime. This also applies when we have reason to believe that disclosing Personal Data is necessary to obtain legal advice and/or to identify, investigate, protect, contact, or bring legal action against someone who may intentionally or unintentionally cause interference with or damage to our guests, visitors, associates, properties, or others; and

(d) Third parties who require such data in connection with a change in the structure of our business: In the event that we (or a part thereof) are (i) subject to negotiations for the sale of our business or (ii) sold to a third party or (iii) undergo a reorganisation, any of Minors’ Personal Data which we hold may be transferred to that re-organised entity or third party and used for the same purposes as set out in this Minors’ Privacy Policy, or for the purpose of analysing any proposed sale or re-organisation. We ensure that we will not transfer Minors’ Personal Data more than necessary.

For individuals (including Minors) living in the People's Republic of China (for the explanation this Minors’ Privacy Policy, excluding Hong Kong Special Administrative Region, Macao Special Administrative Region and Taiwan, hereinafter referred to as "China"), please read Annex II – “Local Specific Provisions - for individuals in China” of the Data Privacy and Security Policy for additional provisions.

2.2 This Minors’ Privacy Policy does not apply to third party suppliers (e.g., airlines, online travel agents, car rental companies, table booking websites) who may collect Personal Data of you and the Minor under your custody and share them with us. We strongly advise you to review the relevant third-party supplier’s privacy policy before providing your and the Minors’ Personal Data.

3. How we transmit, protect and store Minors’ Personal Data

3.1 Data transmission and storage across international borders

To process your reservation and payment and to provide Minor Users with other services related to our business, certain Minors’ Personal Data may be transferred to and processed in other countries or regions when necessary. Data protection laws may vary among these countries or regions which cause protection level of Minors’ Personal Data different. We take appropriate measures (including contractual provisions and technical mechanisms) to ensure Minors’ Personal Data will be securely transferred to and sufficiently protected by recipients at the same level as that in their originating countries or regions.

Please refer to Section 4 and Annex II: Local Specific Provisions – for individuals in China of the Data Privacy and Security Policy for additional provisions on how we transfer data across border and store Minors’ Personal Data originated from China.

3.2 Safety control

As a global company, we endeavour to provide all users with the same high-quality service, and to take commercially reasonable administrative, technical, and physical safeguards designed to protect Minors’ Personal Data we collect, store, and transmit from loss or being accidentally, unlawfully or unauthorisedly destructed, altered, disclosed or used. Please refer to Data Privacy and Security Policy for more information about how we transfer, protect, and store customers’ Personal Data.

3.3       In addition to safeguard measures as set out in Data Privacy and Security Policy, we also take the following measures to protect Minors’ Personal Data:

(a) In terms of access permission:

(i) We limit our employees’ access to Minors’ Personal Data as strictly as possible. Employees are not allowed to access to Minors’ Personal Data without an approval from the customer database manager or other competent administrators;

(ii) We record each access to Minors’ Personal Data and have taken and implemented technical measures and internal policy to protect Minors’ Personal Data from being copied or downloaded illegally or without any justification;

(b)     In terms of the safety management system and personnel:

(i) We have set up an information security team to be responsible for the construction of the information security system;

(ii) We have established relevant safety management systems in information collection, storage, transmission, encryption, network security, vulnerability management and security incident handling.

(c)     In terms of technical measures:

(i) We have adopted technical measures such as encryption to protect the security and confidentiality of information transmission;

(ii) We have adopted technical measures, such as intrusion detection/protection systems, network firewall, anti-virus techniques, anti-spam tools, etc., to protect the security and confidentiality of information preservation;

(d)     In terms of security incident handling:

(i) We have developed a security incident reporting and disposal management system, such as HSH Group Cybersecurity Incident Management System and Emergency Response Plan;

(ii) When we discover any Minor’s Personal Data subject to the risks of leakage, damage or loss, we will immediately execute emergency plans and take remedial measures;

(iii) If any data leakage, damage, or loss occurs and has caused or will cause serious consequence, we will immediately report it to relevant government authorities and inform the Guardian of the affected Minor by email, letter, call or push notification in accordance with laws.

3.4 Despite such measures, please note that no company can fully eliminate risks or guarantee complete security of Minors’ Personal Data. Unauthorised entry or use, hardware or software failure, and other factors may compromise the data security. While we strive to put in place appropriate contractual protections, we are unable to guarantee the security of Minors’ Personal Data hosted on databases run by third parties, and we bear no liability for use or disclosure of Minors’ Personal Data or other data arising from data theft or other malicious actions.

4. Rights of Guardians and Minors

4.1 As the subjects of Personal Data, customers are entitled to specific rights to their Personal Data collected by us in accordance with the Data Privacy and Security Policy.

4.2 If the subject of Personal Data is a Minor, he/she or his/her Guardian may contact us as set out in Section 5 below and exercise the following rights in accordance with the Minors’ Privacy Policy:

(a) Access: you can ask us to provide relevant inquiries and request to view the Minor’s Personal Data under your custody;

(b) Correction: you can ask us to correct any inaccuracies in the Minor’s Personal Data;

(c) Complaint: if you are not satisfied with our use of the Minor’s Personal Data or our response to you when you are exercising your rights, you may lodge complaints to the data protection authority in your country or region;

(d) Erasure: you can ask us to delete the Minor’s Personal Data. Unless otherwise specified by any laws or regulations, we will delete such data as per your request;

(e) Withdrawal of consent: you can withdraw your consent at any time. Please note that withdrawal of some consents may affect the Minor’s enjoyment of relevant services or goods we provide;

(f) Object to providing: you can decide whether to provide the Minor’s Personal Data to us; to the extent permitted by laws, we are also entitled to refuse providing certain goods or services to Minors on the ground of insufficient information;

(g) Object to processing: you can object to processing of the Minor’s Personal Data, unless otherwise specified by laws and regulations;

(h) Restriction: you can restrict our use of the Minor’s Personal Data during an investigation, e.g., whilst we are verifying the accuracy of the Minor’s Personal Data or the then effective grounds that we relied on to collect and store such data;

(i) Portability: where technically feasible, you can require us to transmit the Minor’s Personal Data to a third party as designated by you in a structured, commonly used and machine-readable form (if the request is made by the Minor, your consent is required)

(j) Updating information: we will use economically reasonable endeavours to ensure accuracy of the Minor’s Personal Data in our system. To keep the Minor’s profile updated, please notify us of changes to the Minor’s Personal Data by contacting us via the manners as set out in Section 5 below; and

(k) Notification in the event of breach: in the unlikely of data breach, we will inform disclosure of the Minor’s Personal Data in accordance with applicable laws.

Please note that the above rights are subject to the provisions regarding the Minor’s legal capacity or rights as well as various exceptional provisions and data protection laws of the country or region where the Minor is living in.

5. Contacting us

5.1 If you have any questions about this Minors’ Privacy Policy or our processing of Minors’ Personal Data, please contact us as below. We will make reply within 15 workdays after verifying your identity (including your guardianship over the concerned Minor):

Global Data Privacy Team

The Hongkong and Shanghai Hotels, Limited

8/F St George’s Building

2 Ice House Street

Central

Hong Kong

Phone: +852 2926 2888 

Fax: +852 2732 2933

Email: privacy@peninsula.com

Data Protection Officer in China Mainland

The Palace Hotel Ltd.

8 Goldfish Lane, Wangfujing, Beijing

The Peninsula Beijing

Phone: +86 10 8516 2888

Email: privacy@peninsula.com

The Peninsula Shanghai Waitan Hotel Company Limited

No. 32, The Bund 32 Zhongshan Dong Yi Road, Shanghai

The Peninsula Shanghai

Phone: +86 21 2327 2888

Email: privacy@peninsula.com

Alternatively, you can contact our Representative in the European Union at:

Peninsula Paris Hotel Management SARL

Ref: “EU Representative”

c/o The Peninsula Paris

19 avenue Kléber,

Paris, France, 75116

Attention: Executive Office / HSH Management Services Limited

Phone: +33 1 5812 2888

Email: privacy@peninsula.com

Or our Representative in the United Kingdom at:

Peninsula London Limited

(Acting as general partner on behalf of Peninsula London, LP)

Ref: “UK Representative”

c/o The Peninsula London Pre-Opening Office

First Floor, Interpark House,

Down Street, London W1J 7AJ,

United Kingdom

Attention: Executive Office / HSH Management Services Limited

Phone: +44 20 8106 2888

Email: privacy@peninsula.com

6. How we use Cookies and similar technologies

6.1 We may use Cookies (“Cookies”) and similar technologies to provide better services. For detailed information on the Cookies we use and the purposes for which we use them, please refer to our Data Privacy and Security Policy and Cookies Policy.

6.2 Generally, due to technical limitations, we are not able to identify the age of users when collecting information through Cookies. If you find or are concerned about we collecting Minors’ Personal Data through Cookies, you can contact us as set out in Section 5 “Contacting Us” in this Minors’ Privacy Policy, or manage or delete Cookies by clearing them stored on computers or other mobile devices, or block Cookies permissions set by the browser. With respect to different browsers used, you may need to change the user settings every time they visit our website.

7. Changes to the Minors’ Privacy Policy

7.1 In the future, we may make changes to this Minors’ Privacy Policy. All changes will be included in the latest Minors’ Privacy Policy posted on our website or mobile application. You will always be able to check our current practices of collecting, using or sharing with third parties these Minors’ Personal Data. You will find the latest updated date shown in the first page of this Minors’ Privacy Policy. Any changes to Minors’ Privacy Policy will become effective upon its post date.

7.2 We will notify you of any major changes to this Minors’ Privacy Policy if it is mandatory. See Section 8 “Changes to the Privacy Policy” of the Data Privacy and Security Policy for details.