Last Updates: 12th December 2023
Aimbridge Hospitality EMEA (“Aimbridge“, “we” or “us“) respects your right to privacy. This Privacy Notice explains who we are, how we collect, share and use personal information about guests staying at our hotels (“guest“, “you“), and how you can exercise your privacy rights. If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice.
What does Aimbridge do?
Aimbridge offers a complete suite of hotel management services with a team of hospitality professionals, providing hotel owners and developers with personalised attention and a focus on top line revenues and bottom line profits, every single day, at each and every hotel we operate. Our world-class management platform offers industry leading systems and solutions, experienced professionals, depth of resources, and valuable relationships with major global hotel brands.
For more information about Aimbridge, please see the “About Us” section of our website at https://aimbridgeemea.com/about/ .
What personal information does Aimbridge collect and why?
The personal information that we may collect about you broadly falls into the following categories:
- Information that you provide voluntarily
We ask you to provide certain information voluntarily. The types of information we ask you to provide, and the reasons why we ask you to provide it, include your contact details in order to make a reservation, book or purchase one of our services, subscribe to marketing communications from us, and to submit enquiries to us.
We will also ask you to provide your credit card details so that we can charge you for any purchases that you make during your stay at the hotel. We will also collect your hotel loyalty card number so that we can communicate with the hotel to ensure that you collect points for your stay at the hotel.
If we ask you to provide any other personal information not described above, then the personal information we will ask you to provide, and the reasons why we ask you to provide it, will be made clear to you at the point we collect your personal information.
- Information that we collect automatically
We may also collect certain information automatically from your device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.
Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our website, including the pages accessed and links clicked.
Collecting this information enables us to better understand the visitors who come to our website, where they come from, and what content on our website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our website to our visitors.
Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Cookies and similar tracking technology” below.
- Information that we obtain from third party sources
From time to time, we may receive personal information about you from third party sources (including travel agents that have made a booking on your behalf), but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.
The types of information we collect from third parties include your name, address, email, credit card rewards number and stay history. We use the information we receive from these third parties to honour your reservation.
Who does Aimbridge share my personal information with?
We may disclose your personal information to the following categories of recipients:
- to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information;
- to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
- to any other person with your consent to the disclosure.
Legal basis for processing personal information (EEA visitors only)
If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.
Cookies and similar tracking technology
How does Aimbridge keep my personal information secure?
We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information.
International data transfers
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
Specifically, our servers are located around the world, and our group companies and third party service providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice.
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Your data protection rights
You have the following data protection rights:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below.
- In addition, if you are a resident of the European Union, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “How to contact us” heading below.
- Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.)
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
How to contact us
Corus Hotels – Legal Basis for Processing Personal Data
Corporate and Commercial Individual Data
Corus Hotels (“we”, “us”, “our”) makes a distinction between corporate and commercial data of individuals and their corporate and commercial emails and that of personal data and emails. Corporate and commercial data, including individual corporate and commercial emails, are retained on the basis of legitimate interest to facilitate the ordinary of our business and commercial relationships and transactions and business needs in the course of business dealings. Individuals with corporate or commercial emails may at any time write to the Data Processing Officer at DPO@thebelsfieldhotel.com to remove retention of their data. This can result in Corus Hotels no longer being able to communicate or transact with any such individual and may request a company or body corporate dealing with us to nominate another person expressly willing to receive communication and their corporate and commercial individual data to be retained in the course of business dealings subject always to the person’s individual rights as set out herein. It shall be the responsibility of each company or body corporate to establish the express consent of persons acting on their behalf.
Corus Hotels have set out herein the Legal Basis for Processing Personal Data Customer data. Circumstances where legitimate business interest might apply has been set out below for your reference.
The Legal Basis for Corus Hotels Ltd (collectively referred to as “Hotel”) for processing and/or retaining Personal Data subject to the Data Protection, 1998 and the European General Data Protection Rules (“GDPR”) are:
- the hotel shall require from all parties who handles its personal data a statement that such data will be process or retained outside the European Union and that the Hotel’s express written consent must be sought for any such processing on the basis of express consent by the Client or on the basis of a clearly evidenced legitimate interest usually necessary to enable the Hotel in the performance of its contractual obligations or to comply with any legal obligations enforceable in the Courts of England and Wales;
- the Client in booking for stay and/or use of the hotel’s facilities consent to the processing of his or her personal data to enable the Hotel to fulfil the Client’s needs and requirements during the Clients stay at the Hotel and/or use of the Hotel’s facilities;
- the Hotel needs to receive, retain and process relevant personal details insofar as to enable it to perform its contractual obligation or take necessary steps upon the request of a Client or an Employee prior to entering into a contract;
- the Hotel as the Data Controller will process and/or retain data insofar as it is necessary for to enable the Hotel to comply with its legal obligations including but not limited to assist the Government’s security agencies as part of any investigative query that may be made and shall retain such data under such circumstances until advised by the said security agencies that such data is no longer required whereupon it shall be destroyed within 7 days of any such final notice;
- the Hotel such process and retain personal data insofar as it is necessary, subject to particular circumstances, to protect the vital interests of the Client or Employee or any other natural person, for example the need to contact the next of kin or upon a dispute raised by a Client or Employee;
- the Client or the Employee consents that anonymous personal data relating to the Client or the Employee (all personal identification removed) may be used – when the Hotel is required to act in the public interest or in the exercise of official authority vested in the Hotel as the Data Controller;
- the Hotel retention of personal data of the Client or the Employee will be insofar as it is necessary for of legitimate interests pursued by the Hotel’s Data Controller or a third party (normal Statutory agencies) which the Client may seek to withdraw such consent at any time and subject to the foregoing subclauses parts (a) to (e) the Hotel will comply with the Client’s request. The Client’s right can be found at The Guest’s Rights with respect to Personal Data under GDPR on our GDPR Portal. All Employee personal data legally required in the course of the Employee’s employment with the Hotel shall be retained until 7 years after the Employee leaves the employment of the Hotel whereupon it shall be destroyed if there is no on-going issues or dispute between the Employee and the Hotel;
- The Hotel will not retain any data in relation to any child or children and shall in circumstances involving such minors only deal with their parents or guardians as the case may be.
Legitimate Business interest
- Direct marketing
The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’ This may be where consent is not viable or not preferred, where there is a business need or purpose and there is a balance of business interests between our and person(s) receiving such direct marketing.
- Relevant and appropriate relationship
This may be a direct appropriate relationship, such as where the individual is a client.
- Reasonable expectations
As previously discussed, if a controller understands individuals have a reasonable expectation their data will be processed, this may help to make a case for legitimate interests.
Guests Access Rights
Booking or Transacting with the Hotel
As a guest from a EU Member state your rights as a guest are as follows:
- The right of access to your data upon your written request to our Data Protection officer at the contact details below. You may follow the same procedure for all your rights below;
- The right to rectification by following the same;
- The right to erase;
- The right to restrict processing;
- The right to transfer your data to another party with your express written instruction;
- The right to object;
- The right not to be included in automated marketing initiatives or profiling.
The Information Commissioners Officer’s guide on how to make a personal request for information can be found by clicking on this link: https://ico.org.uk/for-the-public/personal-information/
Guest Access Requests
We will ordinarily respond to you by email within 30 days of your making any request with respect to your rights stated herein above. For a Postal Response the effective response date will be the date of posting and not receipt. We will not charge you for any personal request made by you and only you unless the request is unfounded or excessive. In the event we decline your request primarily but not exclusively based on conflicting data protection or privity of contract issues, we will notify you – primarily by way of an email – our reasons for declining your request.
If you are not satisfied with our reasons for declining your request, you may write your complaint to the following parties:
- The Information Commissioner
Information Commissioner’s Office
Email: email@example.com or follow these links: https://ico.org.uk/for-the-public/raising-concerns/ and https://ico.org.uk/global/contact-us/email/
- Our Data Protection Officer:
The Data Protection Officer,
Corus Hotels Ltd
1 Auckland Park
Lawful Basis for Processing Guest Data
You can click on this link to follow our Legal Basis for Processing Personal Data and our Data Processing & Retention of Personal Data on our GDPR Portal
Essential Q&A on Corus Hotels’ GDPR Compliance
- Do you use this data for any other purpose than the fulfilment of our contract with you; namely for anything other than the delivery of the service accommodation to our customer?
Corus Hotels does not use personal data for any other purpose other than for the legitimate purpose and interest in delivering the service of accommodation to our Customers.
- Do you share this data with any other party and if so who and why?
Corus Hotels does not actively share Customer Data. However, Guestline as our PMS provider, has access to this data and would be deemed as a Data Processor under the GDPR Rules. We have obtained a GDRP Compliance statement from Guestline.
Corus only shares Employee data on the basis of business needs and requirement and legitimate interest.
- What period do you retain the data for? (i.e. what period after fulfilment of the contract do you retain the data for prior to disposing of it?)
A maximum of 2 years for Customers and 7 years for Employees as set out hereunder:
- For all Clients of the Hotel once the Client is no longer a guest at the hotel and there are no outstanding matters between the Hotel and the Client, the Hotel will delete all personal data of the Client further to existing legal requirement for two (2) years after the Client’s last use or stay at the Hotel and in any event after that two-year period within seven (7) days of the settlement of any outstanding balance or issues, whichever is the later;
- For all Employees we will retain personal data for during the period of the employee’s employment and for seven (7) years after the employee leaves the employment of Corus Hotels Ltd and thereafter destroy the same by handing all related files to a certified Data shredding company and remove all related files from our database;
- Personal data of all Marketing Communications expressly consented to by the Client will be deleted upon the Client opting-out or unsubscribing from further marketing communications. The Client will be provided clear boxes to ‘Opt-Out’ or an ‘unsubscribe’ to from any further communication at any time and will not receive any such communication material thereafter. The unsubscribe link will be at the end of an email.
- Do you have a process in place that would allow you to respond effectively and timely to requests from us to ascertain the data that you are holding on one of our customers, to correct any errors in that data and following fulfilment of the contract to comply with an individual’s request to erase their data?
Yes – you may contact our Data Processing Officer at DPO@thebelsfieldhotel.com
You have a right to access the personal information that is held about you. Please refer to details of your right by click on this link Guest Access Rights on our GDPR Portal. To obtain a copy of the personal information Corus Hotels holds about you, please email us at DPO@thebelsfieldhotel.com enclosing your postal details and the details of your request.
Alternatively, you can write to us at the following address:
Data Protection Officer
Corus Hotels Ltd
1 Auckland Park
- What steps have you taken to secure and protect the data? In particular from a breach or other cyber-attack.
- Where and how is the data stored?
- Physical Data: Is stored at the Front Desk. The data card is locked in a cabinet and is accessible by authorised personnel of Corus Hotels only. Authorised personnel must sign in and out every time the deal with a secure key.
- Electronic Data: Data on our PMS system is only accessible by a secure password
- Destruction of Physical Data: Pursuant to our GDPR Policy physical data which is secured in a locked cabinet with a security key is handed on or before the end of 2 years from the date such data come into being to an authorised and certified Data Shredding Company.
- Who can access the data and what controls are in place to prevent unauthorised access?
We have a GDPR Policy and Process in place as to who can access such data. As a hotel operator, the individuals who can access such data are Corus Hotels’ authorised personnel particularly the Front Desk who need to deal with such data on a business need an/or legitimate interest basis.
- What is your notification plan in the event of a data breach?
The Data Protection Officer at Corus Hotels Ltd shall promptly within 48 business hours or immediately after a weekend or a business day after a bank holiday notify the Information Commissioner’s Office and the affected party:
- of any data breach and the circumstances of such breach;
- the circumstances of such breach;
- the steps taken to remedy the breach and
- prevent similar recurrence