Reservation Center

0120-758-029

(for Hotels in Japan, Toll Free)

+81 52 683 4111

(for Hotels outside Japan)

Internet Reservations
Best Price Guarantee

Privacy Policy

1.PRINCIPLE/CONTEXT

This policy relates to the collection, use and storage by IHG corporate personnel and by IHG owned and managed hotels of all personal data of our guests and any other third parties. Such third parties include potential guests, shareholders, franchisees, potential and existing hotel owners, people who enter our competitions or communicate with us via social media and all other people we interact with as part of our business activities.

The aim of this policy is to make sure that IHG complies with applicable laws and regulations regarding how we manage personal data. These laws and regulations are known generally as data privacy or protection laws and regulations. The damage caused by breaching data privacy laws can be severe and, apart from the reputational damage to IHG and its brands, can lead to heavy fines and (in some countries) criminal sanctions.

The following definitions are used:

Personal data: is any information relating to an identifiable living individual who can be identified from that data (or from that data combined with other data in our possession or that is likely to come into our possession). It includes, but is not limited to, name, address, email address, date of birth, credit or debit card number.

Sensitive personal data: is information concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life, criminal record and physical or mental health information. Information such as meal preference, disabled access requests or room occupancy should be considered sensitive personal data as it can indicate religious beliefs, health information or sexual life.

2.POLICY

The IHG policy is to comply with all applicable data privacy laws and regulations.

All IHG employees and all IHG owned and managed hotels are required to comply with this policy which sets out the IHG “minimum standard”. Local laws or local IHG policies and procedures may however require a higher standard which must also be complied with.

Breach of the policy may lead to disciplinary procedures.

2.1 Collecting Personal Data

  • Collect only the minimum personal data necessary for the specific purpose that the individual has provided it.
  • Collect or retain sensitive personal data only to the extent necessary to comply with a specific request of the individual (e.g., meal preference or disabled access request) or with the consent of the individual.
  • Personal datashould not be used for any purpose incompatible with the purpose it has been collected for, or which has not been notified in a Privacy Statement, without the consent of the individual.

2.2 Privacy Statements

  • Information about how IHG manages personal data (including how the data will be used and who it will be shared with) should be available to an individual when their personal data is collected (whether collected in person, on a paper or online form, over the telephone, or in video or audio recordings). In many cases, the IHG external privacy statement and policy ("Privacy Statement"), available at ichotelsgroup.com, will be sufficient but any collection or use of personal data not covered by this Privacy Statement may require amendment of the Privacy Statement or creation of a project-specific privacy disclosure. In particular, any proposed use of personal data which is likely to be unexpected should be clearly communicated at the point of collection, for instance (depending on how the data is being collected), by way of a statement in a paper or online form or in a telephone script.
  • All IHG branded corporate or hotel websites or mobile applications must contain a Privacy Statement. The Privacy Statement must generally comply with (and, in most cases, should be identical to) the IHG corporate Privacy Statement available at ichotelsgroup.com. If there is any inconsistency between the IHG corporate Privacy Statement and the way the personal data will be used, stored or transferred for a particular purpose, this must be clearly disclosed.
  • Legal Team approval is required for any changes to any existing Privacy Statement or the creation of any new Privacy Statement.

2.3 Marketing

  • It is a legal requirement in some countries, and IHG best practice, to obtain consent from an individual before sending any marketing communications.
  • All marketing communications must contain a clear, easy and free way for the individual to opt-out of further marketing communications, e.g., a clear unsubscribe button in an email (this includes individuals who have previously given consent to receive marketing communications). Some countries also require that individuals must be able to register their withdrawal of consent for marketing at any time, for instance, on a preference register or by making a written request.
  • If an individual unsubscribes (in any manner) then their details should be suppressed as soon as possible so they are no longer contacted and so that IHG records show that they should not be contacted in the future.
  • Anyone responsible for direct marketing must ensure that a process is in place to respond to “opt-out” requests. This process must be linked to the IHG central process for responding to “opt-out” requests as, depending on the request, the individual’s details may need to be suppressed from several or all marketing lists.

2.4 Consent

  • It is a legal requirement in some countries, and IHG best practice, for consent to take the form of a positive action from the individual, such as checking a box.
  • Where consent is required, a Privacy Statement (see above) should be available prior to the individual giving consent, so their consent is given on an informed basis.
  • A record must be kept of whether consent has been obtained, including where it has been obtained over the phone or in person.
  • The Legal Team should advise on consent requirements.

2.5 Purchasing, Renting or Licensing Personal Data from Third Parties

  • Personal data purchased, rented, licensed or otherwise acquired from third parties (e.g., a mailing list) requires a written contract confirming that appropriate consents have been obtained and that the consents cover the collection and transfer of the data for the purposes for which it will be used by IHG.
  • Any contract to purchase, rent, license, or otherwise acquire personal data from third parties must be provided to the Legal Team for review prior to signing.

2.6 Transfer of Personal Data

  • Personal data must never be sold to third parties.
  • Personal data should not be provided to or accessed by any IHG colleague or any third party who is not authorised to receive or access it.
  • If personal data is to be transferred to third parties in relation to services they are providing to us this must be covered in a written contract which must be reviewed by the Legal Team prior to signing.
  • Personal data must be protected during transfer in accordance with the IHG Information Security Standards applicable to “restricted information”.
  • You must get approval from the Legal Team before transferring personal data across any national border (i.e., between different countries) and outside the IHG network.
  • You must get approval from the Legal Team if you are setting up a new business process that will involve cross-border transfers of personal data even if the transfers will remain within the IHG corporate computer network.

2.7 Requests for Personal Data

  • If law enforcement or government agencies request release of personal data, you should contact your local risk or security team promptly before disclosing any personal data. Requirements in different countries vary but in many countries this will require a court order or other appropriate legal authorisation.
  • For all other requests, except when complying with legal requirements, you must obtain written authorisation from an individual before providing their personal data in response to a request from anyone outside IHG, even if, for example, the person requesting the information claims to be a family member.
  • In many countries people are legally entitled to know whether a company is holding their personal data, what that personal data is and what it is being used for. People may also ask for their personal data to be corrected, deleted or destroyed. There are deadlines for complying with these requests. Any such request must be notified to the Legal Team as soon as possible so that they can manage the response.

2.8 Security of Personal Data

  • All personal data (in whatever form, including electronic, audio, video and paper) must be protected in accordance with the IHG Information Security Standards applicable to “restricted information” which is the highest information security classification.
  • If you think that personal data may have been lost or stolen (e.g., your laptop has been stolen or you have lost a portable storage device or hard-copy personal data) you must immediately notify the Legal Team.
  • Personal data must not be stored on laptops or removable storage devices unless it is encrypted.

2.9 Retention and Destruction

  • Personal data should not be retained for longer than necessary for the purpose for which it was collected or to comply with legal requirements. Personal data should regularly be reviewed to assess whether the information is still needed. Information that is no longer needed for the purposes for which it was collected should be securely deleted or destroyed.
  • Personal data must be destroyed in a manner reasonably intended to prevent the misappropriation or other unauthorized use of the information, for instance by shredding paper records containing personal data, using secure document disposal facilities or secure electronic destruction.

3.RELATED POLICIES AND GUIDANCE

  • IHG Information Security Policy and Standards

4.CONTACTS

If you are starting a new business activity that involves the collection or use of personal data, concerned that current business activities do not comply with this policy or have any other questions or concerns regarding this policy or data privacy, please contact the Legal Team. Contacts for the Legal Team can be found on Merlin on the Business Reputation and Responsibility Pages.

Approved by the Audit Committee: 14 February 2013

Date of next review: 2014