GDPR Privacy Policy
for customers using Hotel Keihan from EEA
GDPR Privacy Policy for Hotel Business
DEffective Date: 01/06/2020
Revision Date: 29/03/2024
If you are accessing this website from other than the EEA or the UK, please read our general privacy policy here.
1. About this Privacy Policy
This privacy policy (hereinafter referred to as the “Policy”) is for our customers residing in the European Economic Area (“EEA”) or the United Kingdom (“UK”). This Policy explains how we collect, use and protect your personal data in accordance with the EU and UK General Data Protection Regulation (the “GDPR”) when we provide you with our hotel services.
2. Controller
Hotel Keihan Co., Ltd. (hereinafter referred to as the “we,” “our” and “us”) is the controller in the meaning of the GDPR and we are responsible for the processing of your personal data as described below. Our contact details:
Hotel Keihan Co., Ltd.
Address: Keihan Tenmabashi Building 3F, 1-7-24, Otemae, Chuo-ku, Osaka-shi, 540-0008, Japan
TEL: 06-6585-0215
FAX: 06-6585-0289
Email: contact@hotelkeihan.co.jp
3. How and From Whom We Collect Your Personal Data
We collect your personal data either directly from you or indirectly from our travel agencies through which your booking is made.
4. Purposes and Legal Bases for Processing Personal Data
We process the following categories of your personal data for the respective purpose with the respective legal basis as described below.
*You can scroll horizontally
Purpose | Categories of Your Personal Data We Process | Legal Basis |
---|---|---|
(1) To manage your booking with our hotel. | Your basic information, including your name, region of residence, nationality, address, gender, telephone number, (fax number), (date of birth), (age), (date of marriage), (e-mail address), (place of work), (address of work), booking date, check-in date, check-out date, room number, room price, passport number, (food to avoid), and other information necessary for this purpose. *We only obtain the information in parentheses when you book certain special services such as weddings, company trips, or meals. |
The necessity of the processing to take steps at the request of you prior to entering into a contract. |
(2) To provide our guests with our services, including accommodation, meals, conference, relaxation , parking, transportation, laundry, etc. | Your basic information, including your name, region of residence, nationality, address, gender, telephone number, (fax number), (date of birth), (age), (date of marriage), (e-mail address), (place of work), (address of work), booking date, check-in date, check-out date, room number, room price, passport number, (food to avoid), (occupation), and other information necessary for this purpose. *We only obtain the information in parentheses when you book certain special services such as weddings, company trips, or meals. |
The necessity of the processing for the performance of a contract. |
(3) To provide various services to our guests, including restaurant reservations, tourist information, etc. | Your basic information, including your name, region of residence, nationality, address, gender, telephone number, (fax number), (date of birth), (age), (date of marriage), (e-mail address), (place of work), (address of work), booking date, check-in date, check-out date, room number, room price, passport number, (food to avoid), and other information necessary for this purpose. *We only obtain the information in parentheses when you book certain special services such as weddings, company trips, or meals. |
The necessity of the processing to take steps at the request of you prior to entering into a contract. |
(4) To manage our register of lodgers | Your basic information, including your name, address, contact information, (nationality), (passport number), and other information considered necessary by the prefectural governors such as gender, age, previous place of stay, destination place, arrival date and time, departure date and time, and room number. *We only obtain the information in parentheses for foreign nationals who do not have an address in Japan. |
The necessity of the processing for our legitimate interest in managing the register of lodgers in accordance with the Hotel Business Act of Japan. |
(5) To manage membership services for our guests | Your basic information, including your name, region of residence, nationality, e-mail address, address, gender, telephone number, date of birth, (place of work), (address of work), and other information necessary for this purpose. *We only obtain the information in parentheses from legal entities. |
The necessity of the processing for the performance of a contract. |
(6) To manage our marketing activities | Your basic information, including your name, region of residence, nationality, address, gender, telephone number, (fax number), (date of birth), (age), (date of marriage), (e-mail address), (place of work), (address of work), reservation date, check-in date, check-out date, room number, room price, passport number, (food to avoid), (occupation) and other information necessary for this purpose. *We only obtain the information in parenthesis for specific customers. |
Your consent. |
(7) To conduct digital marketing activities, including promotional activities such as providing information about upcoming events and discount on services through social media or digital advertisement. | Information obtained through device identifiers (e.g. cookies), including browser identification information, website browsing history, and other information necessary for this purpose. | Your consent. |
(8) To maintain the security and proper functioning of our website through management of website visit sessions (log-in status), language setting, etc. | Information obtained through device identifiers (e.g. cookies), including browser identification information, website browsing history, and other necessary for this purpose. | The necessity of the processing for our legitimate interest in managing the website security and maintaining normal functionality of our website. |
(9) To respond to your inquiries and to improve our services based on your opinions and requests, etc. | Information contained in your opinions and requests such as: - your name - age - e-mail address - telephone number - address - gender |
The necessity of the processing for our legitimate interest in responding to your inquiries and improving our services. |
(10) To establish, exercise and/or defend our rights. | Personal data including your basic information necessary for this purpose. | The necessity of the processing for our legitimate interest in asserting, proving, or defending our rights. |
You may choose not to provide your personal data; in such cases, however, we may not be able to offer accommodation or other services to you. Additionally, we may not be able to send you promotional emails.
5. Sensitive Personal Data
We may collect your personal data that is classified as sensitive personal data under GDPR to provide you with appropriate services, including specific restrictions on meals. In such instances, we will obtain your consent or take appropriate measures in accordance with GDPR. If you provide us with sensitive personal data through our website forms or otherwise, you will be deemed to have given us your consent.
6. Security Measures to Protect Personal Data
We will take the following security measures in managing your personal data.
- 1. Formulation of the basic policy
We have formulated the Basic Policy (the Personal Data Management Regulations) to ensure our compliance with relevant laws and regulations in handling personal data. - 2. Establishment of rules for handling personal data
We have established the rules and regulations to ensure the protection of personal data at each stage of the collection, use, storage, provision, deletion and disposal of personal data, setting out the methods of handling, responsible persons and persons in charge and their duties. - 3. Organisational security measures
We have appointed the Chief Privacy Officer as our chief officer in charge of personal data protection, and the Chief Data Protection Managers and Data Protection Managers in each department who handles personal data. The Chief Privacy Officer limits the number of persons who can access personal data, manages the access privileges, prepares a record to monitor the status of personal data processing, and conducts periodic self-inspections. In addition, we have appointed the Chief Audit Officer to carry out audits on our handling of personal data. We have also established a system to respond to any possible data leakages. - 4. Security measures regarding personnel
We provide our employees with regular education and training on information security, including precautions regarding the handling of personal data. In addition, we require all employees who handle personal data to sign a confidentiality pledge. - 5. Physical security measures
Regarding the offices where equipment handling personal data is installed, we have implemented controls such as locking and restricting access to it only to the relevant persons. - 6. Technical security measures
We limit the persons who can access to personal data and personal information databases they can handle by setting and managing access privileges, and we take measures such as encrypting personal data where necessary. In addition, we have set up a system for recording and analyzing access to personal data, and we monitor this system to prevent and detect leaks, etc. of personal data. - 7. Understanding of foreign legal environments
We implement security measures based on our research and understanding of relevant laws and regulations concerning the protection of personal data in countries where your personal data is stored.
7. Retention Period of Personal Data
We will retain your personal data for as long as it is necessary for the purposes described in Section 4. When the retention period of personal data has expired, we will delete or anonymize it within a reasonable period in a secure manner.
8. Disclosure of Personal Data to Third Parties
We may disclose your personal data to third parties for as long as necessary for the purposes described below. If our processing of personal data goes beyond the scope of the legal basis specified in Section 4, we will obtain your consent or complete other necessary procedures to conform with GDPR before disclosing it.
*You can scroll horizontally
Categories of personal data to be disclosed | Recipients | Purposes of disclosure |
---|---|---|
Categories listed in Section 4 (1) and (2) above | Our service providers of the hotel management systems and site controller services to store or manage reservation information, etc. obtained from you | Purposes (1) and (2) in Section 4 above |
Categories listed in Section 4 (3) above | Third party business entities we use to provide services such as meal reservations and information on tourist attractions to our customers (e.g., restaurants and travel organizers) | Purposes (3) in Section 4 above |
Categories listed in Section 4 (4) above | ・Related governmental agencies to whom we are required to disclose our register of lodgers in accordance with the Hotel Business Act of Japan ・Our service providers of the hotel management systems to store or manage personal data obtained from you |
Purposes (4) in Section 4 above |
Categories listed in Section 4 (7) above | Advertising technology companies | Purposes (7) in Section 4 above |
Categories listed in Section 4 (8) above | Our service providers operating and maintaining our website | Purposes (8) in Section 4 above |
Categories listed in Section 4 (10) above | Court or other dispute resolution organizations, attorneys, etc. that we use to execute our contracts with you and to assert, prove, or defend our rights in legal disputes | Purposes (10) in Section 4 above |
9. Cross-Border Transfer of Personal Data
Our disclosure of your personal data to third parties may constitute cross-border transfer of personal data. When we transfer your personal data to a country or region other than the EEA member countries or the UK, we either rely on adequate decisions made by the European Commission or the UK government, use the Standard Contractual Clauses (SCCs) adopted by the European Commission, the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission's SCCs approved by the UK Parliament, or take other necessary measures to protect your personal data.
10. Your Rights
You have the following rights set out in the GDPR with the processing of your personal data by us. You may exercise the rights by contacting us via the Point of Contact below. We generally respond to you within one month after receiving your request and verifying your identification unless there are any of the exceptions set out in the GDPR and applicable laws and regulations.
- (1) Withdrawal of consent: You can revoke at any time previously given consent to our processing of your personal data.
- (2) Right of access (we disclose information including purposes to process, categories of personal data, recipients to disclose, retention period, sources to collect): You have the rights to make an inquiry, to review and to request us for copies of your personal data we hold.
- (3) Right to rectification: You have the right to request us to correct any of your personal data we hold which you believe is inaccurate. You also have the right to request us to complete your personal data we hold which you believe is incomplete.
- (4) Right to erasure: You have the right to request that we erase your personal data, under certain conditions.
- (5) Right to restrict processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
- (6) Right to object to processing: You have the right to object to our processing of your personal data, subject to certain conditions as set out in Section 11.
- (7) Right to data portability: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
11. Right to Object to Processing
You have the right to object at any time to the processing of your personal data on the basis of our legitimate interests. Please contact us if you wish to exercise this right.
12. Lodging Complaint with Data Protection Authority
In accordance with the GDPR, you have the right to lodge complaints about how we process your personal data with competent data protection supervisory authority. However, we appreciate the opportunity to address your concerns before you lodge a complaint to the data protection supervisory authority. We kindly request that you consider contacting us through the Point of Contact below in Section 13.
13. Point of Contact
We have appointed DataRep as our data protection representative in the EEA and the UK. Please contact the representative by either of the following channels. Please visit this URL for information on how to contact the representative.
Email: datarequest@datarep.com
Webform: www.datarep.com/data-request
Postal mail: Please mail your inquiry to the representative at the address listed on this URL, whichever is most convenient for you.
12. Update of this Policy
We may update this Policy to comply with amendments to the GDPR and applicable laws and regulations. If we update this Policy, we will post it on our website without delay and announce the revision date.