Last revised: April 1st, 2022
1.1 Responsible entities
Seibu Prince Hotels is the ‘controller’ for the purposes of the GDPR and equivalent UK legislation in relation to the handling of personal data obtained from customers in the EEA or UK.
We can’t help you book a room in one of our hotels or reserve a restaurant or activity via our website or via agents without processing personal information. It depends on the processing activity, which personal data we process about you, for which purposes and based on which legal ground. Please find below some general information about our processing of your personal data. Beneath the general information, you will find an overview of our processing activities in which we provide more detailed information about the processing of your personal data in that context. We may collect and use your personal data for the purposes set out below. If your personal data is to be used for any other purpose, we will clearly inform you of the purpose and scope of use prior to collecting or using the information.
2.1 Refusal to provide personal data
We will not compel you to provide your personal data to us. You always have the right to choose whether or not to provide us with your personal data. However, if you choose not to provide certain information, we may not be able to provide certain services to you, for example, we may not be able to accept your reservation or you may not be able to use some of our services. We will make clear to you at the time of collection which information is necessary to obtain for providing the service.
2.2 Information from minors
2.3 Sensitive personal data
We do not obtain sensitive personal data (such as racial or ethnic information, health data, political ideology, religious or philosophical beliefs, information on trade union membership, genetic data, biological data, information on sex life and sexual orientation) and personal data relating to criminal offences except in cases where it meets the requirements of the applicable laws.
If you provide sensitive personal data relating to your health or beliefs as part of your reservation, such as allergy information or information relating to dietary restrictions, we will record such personal data and handle it with your consent and only to provide you with the service.
2.4 Legitimate interest
Sometimes we indicate that we process your personal data based on the legal ground “legitimate interest”. This means that a balance of interests is performed between the interests that are served by the processing on the one hand and your privacy interests on the other hand, and that the interests in favour of the processing prevail. The related legitimate interests are included below per processing activity. If you want more information about this, you can contact us directly via our contact information stated below.
2.5 Processing activities
If you book a room or make a reservation for a restaurant or an event via various channels including our website, app or a booking agent, we may obtain the following categories of personal data from you directly or via a third party, such as a booking agent:
We use the personal data for the following purposes:
Our legal grounds for the processing activity with regards to customer reservations are your consent, the necessity to process personal data for the performance of our contract with you, to comply with a legal obligation under EU and UK law or our legitimate interest to comply with applicable non-EEA/UK laws.
(b) Enquiries and complaints.
If you make an enquiry or complaint to us, we may obtain the following information from you:
We use the personal data for the following purposes and activities:
Our legal grounds for the processing activity with regards to enquiries is your consent, to comply with a legal obligation under EU and UK law or our legitimate interest to comply with applicable non-EEA/UK laws and respond to your enquiries and complaints.
(c) Surveys and reviews
If you complete a survey via our website or review our services, we may collect the following information from you:
We use the personal data for the following purposes and activities:
Our legal basis for the processing activity with regards to surveys and reviews are your consent or our legitimate interest to improve our products and services and to comply with applicable non-EEA/UK laws.
(d) Use of websites or apps
When you use our website or app, we may (automatically) obtain the following information from you via cookies. Cookies are small bits of data that can be placed on your computer, tablet, smartphone or other electronic “device” with which you can use the internet via a web browser. When a website is visited, the website can place these cookies on your device via your web browser. A cookie can be used to identify your device and remember certain settings, such as your language settings.
This information can be considered personal data under the applicable laws. Depending on your browser, you may be able to change the settings and disable the cookies altogether. Please note that this may result in you not being able to use all or part of the services on our website(s).
Our legal grounds for the processing activity with regards to the use of the website(s) or apps is your consent, to comply with a legal obligation under EEA and UK law or our legitimate interest in offering our website and apps to you.
(e) Legal objectives
Personal data and purposes
We may also be required to comply with legal obligations to which we are subject under the applicable laws. We only provide personal data obtained from you to third parties, such as competent authorities, if required by law.
Our legal grounds for the processing activity with regards to legal objectives is to comply with a legal obligation under EEA and UK law and our legitimate interest to comply with applicable non-EEA/UK laws.
There are different ways in which we receive your personal data. Sometimes we receive your personal data, because you provide it to us and sometime we receive it from one of our partners. In this paragraph we inform you on the different methods to collect data from and about you including through:
Sometimes it is necessary to share your personal data with another party, for example because this is necessary for providing our services to you. In this paragraph we inform you under what conditions we will share personal data and with whom.
4.1 Conditions for data sharing
Third parties are not allowed to use personal data concerning you for their own (direct marketing) purposes. Moreover, we only share your personal data with third parties if:
We will ensure that these third parties only use your personal data for the purposes described in chapter 2above or for the purposes for which you have given your individual consent. We will ensure that these parties apply the same strict standards as we do.
4.2 Parties with whom we share your personal data
We may share all or part of the above-mentioned information referred to in chapter 2 above with other affiliated entities and with the following third parties (persons who are engaged in the activities of those parties and authorized to be involved in the processing activities concerned):
It is important to us to protect your privacy. We have implemented various measures to protect and secure your personal data, in order to prevent violations of the confidentiality, integrity and availability of your personal data. All our employees and other persons engaged by us are obliged to respect the confidentiality of personal data. Please note that we take the following precautions:
(a) Technical and organisational security measures
We strictly manage your personal data and take appropriate precautions, such as technical and organisational safety measures against unauthorized access, loss, destruction, falsification and leakage of personal data.
(b) Organisational structure
We established an organisational structure to ensure compliance with the protection of personal data within Seibu Prince Hotels, including the appointment of a person responsible for managing the protection of personal data of our group entities as a whole and a person responsible for managing the protection of personal data in each department. In addition, a department responsible for audit has been established as an internal audit structure.
(c) Internal policies concerning the handling and management of personal data
We have established standards for the appropriate acquisition, retention, use and disposal of personal data and regulations for the handling of personal data to ensure that this is strictly enforced, as well as a code of conduct and specific rules to prevent unauthorised access, loss, destruction, alteration and leakage of personal data.
(d) In-house training
We strive to protect personal data by providing our staff with education and training on the protection of personal data and ensuring that they are familiar with the content of our internal policies.
(e) Ongoing review of internal policies on the handling and management of personal data
We will continuously review and improve our rules for the handling of personal data and the organisational structure for implementing them to ensure that they are effective and appropriate on an ongoing basis.
In addition to transferring your personal data to Japan, we may also transfer it to other countries or territories outside the EEA and UK in connection with the sharing of personal data with third parties as described above. In this paragraph we provide more information on data transfers and the legitimisation thereof.
6.1 Transfers outside the EEA
Part of the third parties which we entrust with your personal data are based outside the EEA and/or the UK (‘GDPR Third Countries’). Any data transfers from the EEA/UK to GDPR Third Countries shall always take place in compliance with Chapter V of the GDPR and UK GDPR and additional recommendation or decision issued in this regard by the European Data Protection Board (‘EDPB’), European Commission or other competent authority. In case the data is transferred outside the EEA or the UK, the transfer is legitimized in the manner described below. Please note that if we collect personal data directly from you, this does not qualify as a transfer. See this link for an overview of the EEA countries.
6.2 Legitimisation of transfers outside the EEA and UK.
Whenever we transfer your personal data to GDPR Third Countries, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
Further information on our legitimization of data transfers to Third Countries will be provided upon your request. Please use our contact information to make such a request, as stated below.
7.1 Main rule
We will retain personal data only for the period necessary to achieve the purpose for which it is used, and will take steps to erase or anonymize personal data after the retention period has elapsed in a secure manner within a reasonable period of time. There could however be exceptions applicable to the general retention terms.
If you exercise certain privacy rights, it is possible we will remove your data earlier than the general applicable retention period or – oppositely – retain it for a longer period of time. For more information about this, please refer to the header “What are your privacy rights?”
7.3 Exception: longer retention period
In certain situations, we may process your personal data for a longer period of time than what is necessary for the purpose of the processing. We may retain your personal data for a longer period, for example if:
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
With regard to personal data collected by us from customers in the EEA or the UK, you have the following rights under the GDPR and equivalent UK legislation. You may exercise these rights by contacting us via the contact information below. If we receive a request to exercise one of these rights, we will respond to the request as soon as possible and after verifying the identity of the person concerned. However, please note that there are exceptions to these rights under the GDPR and we may not always be able to comply with your request.
8.1 Your privacy rights
As data subject you have the right to:
a. Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you. Although this does not necessarily give you the right to receive a copy of the documents containing your personal data, you do have the right to receive a copy of your personnel file. Per your request, we will then also provide you with further specifics of our processing of your personal data.
b. Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Please note that this does not provide you with the right to “correct” documents with which you do not agree, such as a complaints report. In such case, a written document detailing your own view on the matter, may be added to the file.
c. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where: (i) the personal data is no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data is unlawfully processed, (v) the personal data needs to be erased on the basis of a legal requirement, or (vi) where the personal data has been collected in relation to the offer of information society services. Note, however, that we do not have to honour your request to the extent that the processing is necessary: (i) for exercising the right of freedom of expression and information, (ii) for compliance with a legal obligation which requires processing, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes, or (v) for the establishment, exercise or defence of legal claims.
d. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
e. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
f. Request the transfer (right to data portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies if it concerns processing that is carried out by us by automated means, and only if our processing ground for such processing is your consent or the performance of a contract to which you are a party.
g. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
h. Not to be subject to automated decision-making. This means that you have the right not to be subject to a decision based solely on automated processing, which significantly impacts you (“which produces legal effects concerning you or similarly significantly affects you”). In this respect, please be informed that we do not make use of automated decision-making.
i. Lodge a complaint with a EEA or UK supervisory authority, in particular in the state of your habitual residence, place of work or where an alleged infringement took place. Please refer to this webpage for an overview of the supervisory authorities in the EEA and their contact details. We would appreciate the chance to deal with your concerns before you approach the regulator, so please contact us beforehand.
If you wish to exercise any of the rights set out above, please contact us directly via the contact information provided below.
8.2 No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
8.3 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
8.4 Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We have established a point of contact within Seibu Prince Hotels to deal with any enquiries or comments from you in relation to the personal data we collect and hold in our possession, and will respond to such enquiries and comments in good faith to the extent reasonable and necessary, after the necessary identification of the customer or his/her representative. Please note that it may take a few days to reply, depending on the case.
10.1 Contact information
For further information on how we process your personal data, please contact us:
Our contact details:
|address (e.g. of house)||1-16-15 Minami Ikebukuro, Toshima-ku, Tokyo 171-0022, Japan Diamond Gate Ikebukuro|
Contact details for our representative in the EEA:
|Representation in the EU||First European Data Rep B.V.|
|address (e.g. of house)||WTC Amsterdam Airport|
Schiphol Boulevard 195
1118 BG Schiphol
Masahiko Koyama, President, Seibu Prince Hotels Worldwide, Inc.
Last revised: April 1st, 2022
Seibu Prince Hotels Worldwide, Inc. group companies (“affiliate entities”) are as follows:
Kawana Hotel, Inc
SHIMODA PRINCE HOTEL, INC
TOKYO BAY SHIOMI HOTELMANAGEMENT, INC.
UD Hospitality Management Corporation
SEIBU SINGAPORE PTE LTD
PRINCE HOTELS (THAILAND) CO., LTD.
PRINCE HOTELS USA, INC.