Data Protection Policy
Given the relationship between the Properties and their Guests, We as the Property / Management have set out a personal data protection policy in accordance with the requirements laid down in the European General Data Protection Regulation (“GDPR”) where applicable and the Kenya Data Protection Act.
We undertake to protect the privacy of our Guests (“data subjects”) within the framework of their activities by ensuring the protection, confidentiality and security of their personal data collected. The main objective of this data protection policy is to concentrate in a single document clear, simple and precise information concerning the data processing operations carried out by us, in order to enable the data subjects to understand what information and personal data (“personal data”) are collected, how they are used and what their rights are with regard to these personal data.
“Collect” means to obtain personal data. Data may be collected at the time of booking, during the stay(s), or during the contractual relationship between us and the data subjects;
“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“controller” means the person or body which, alone or jointly with others, determines the purposes and means of the processing of your personal data;
“Online services” means digital services offered by US, such as websites, applications, or associated services;
“Partners” should be construed in the broadest sense and means in particular service providers, subcontractors, intermediaries, and suppliers working with US;
“Processing of personal data”: means any operation or set of operations in relation to data, whatever the mechanism used;
“Products or services” means all products and services, including technological products and services (websites, applications and associated services) offered or to be offered by us;
“Prospect” means any person who has contacted us to obtain information about a product or service offered by us.
“US” means the Management and Properties as shall in the context apply.
When do we collect personal data?
Personal data may be collected primarily in the context of:
- The entry into contract with us.
- The reservation of products and services offered by us.
- The data subject’s use of any of our products and services, including technological services (website, application, and associated services).
- The provision of products or services to meet specific Guests’ requests.
- The relationship between us, their prospects, Guests and partners;
- The performance of contracts.
The performance of legal or regulatory obligations relating to the activity of the Property and having an impact on the protection of personal data (such as police records for foreign Guests, tourist taxes, obligations in relation to tax, audit, or anti-fraud, anti-money laundering and anti-terrorist financing, judicial requisition); and
Those relating to the management of the commercial relationship in relation to complaints or satisfaction surveys.
What categories of data do we process?
- Personal data means any information relating to a natural person which permits to the identification of him or her, directly or indirectly.
- Personal data may include an individual’s first and last name, telephone number, photograph, video recording, postal address, email address, occupation, identification documentation, location data, and computer’s IP address.
- The data collected by us may be divided into the following main categories:
Declarative personal data
Declarative personal data are those provided by the data subjects and collected by us in the context of commercial or contractual relationships.
The data come mainly from the data subjects and the persons authorized by the data subjects to transmit them to us. For example, the data subject may be asked to provide personal data relating to his or her preferences (e.g. in terms of food or press) or to his or her family, economic, property and financial situation, or data which may potentially allow deducing information relating to his or her health, religious affiliation (food allergy, accessories for the practice of religion). Personal data may also be collected as part of the hosting service.
Personal data related to the functioning of OUR products and services
- Personal data may arise from the use by the data subjects of OUR products and services or may relate to operations carried out via the products and services offered by us in the context of their relationship with the data subject. For example, information is collected on the services provided during the data subject’s stay to improve Guests’ knowledge, the comfort of the stay or the organization of future stays.
Personal data from third parties
- The personal data processed may also come from:
- Booking intermediaries;
- Loyalty programs to which the Guests have subscribed;
- Subcontractors, partners of OURS or third parties if their personal data protection policies allow it;
- Third parties (hotels, associations, police services, etc.) in relation to the fight against fraud, unpaid bills and bad behaviour;
- Other products or services provided by third parties to which the data subjects have subscribed and/or for which they have authorized sharing with us.
Public personal data
We may collect public personal data concerning the data subjects and use such public information or personal data where permitted by law or regulation and in compliance with the specific rules of communication and re-use specified by such law or regulation.
Personal data is calculated or inferred by us.
- We may generate or calculate new personal data based on declarative personal data or data related to the functioning of the products and services, in particular, to adapt their products and services and personalize the offers that can be made to Guests.
What personal data do we process?
We process the following main personal data for Guests and their accompanying persons:
- Surname / First name:
- Date of birth/age:
- Nationality/place of origin:
- Contact information (mailing address and email address, telephone number) :
- Personal identification numbers and details:
- Profession (business cards) :
- Duration and date of booking, and stays:
- Preferences or specific requests expressed during the booking and/or stay:
- Special points of attention necessary for the smooth running of the stay (such as the risk of allergies or medical information about contraindications to spa treatments).
How do we share the data we collect?
The personal data collected, as well as those that will be obtained later, are intended for us in our capacity as the data controller.
We ensure that the personal data of the data subjects are only accessed by authorized persons and only when necessary for the performance of their tasks.
Some personal data may be sent to third parties to comply with legal, regulatory or contractual obligations or to legally authorized authorities (such as police, tourism authorities, obligations under the AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism Act) or by request from any Government Authority.
At the request of their Guests, WE may transmit personal data to third parties in order to subscribe to products and services from these third parties (book a restaurant, a private car, travel or tickets). Guests are informed that the third party is responsible for their own processing; Guests are therefore invited to contact the third-party recipients to be informed of the terms and conditions of any processing carried out in that context.
How long do we keep personal data?
Personal data are stored in OUR information systems or those of their subcontractors or providers.
Lawfulness of processing
- We undertake that WE will not process data collected unlawfully.
- Processing is lawful to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data;
- Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary to comply with a legal obligation to which WE are subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party;
- We are committed to guaranteeing the ethics and security of the personal data of our Guests, WE use personal data in accordance with the terms of this data protection policy, and the general terms and conditions of the products and services subscribed by the Guests.
- We use all or part of the personal data for the following main purposes:
- Taking steps at the request of the data subject prior to entering into a contract;
- Executing and performing services;
- Managing Guests’ reservations and stays;
- Managing relationships with OUR partners;
- Managing contracts entered into with the data subjects;
- Managing our activities;
- Ensuring Guests satisfaction;
- Compiling statistics.
Rights of data subjects
- The individuals whose data are processed are granted the following rights, unless otherwise legally required from us:
- The right of information;
- The right of access;
- The right to erasure or the right to be forgotten;
- The right to portability;
- The right to object;
- The right to restriction of processing;
- The right to question.
a) Right of information
The data subjects acknowledge that this data protection policy provides them with information about the purposes, the legal framework, the legitimate interests pursued by us, the recipients or categories of recipients with whom their personal data is shared, and the possibility of a data transfer to a third country or international organization. However, regarding the right of information, WE are not required to provide information if the data subjects already possess the information, if the recording or disclosure of their personal data is expressly laid down by law, or if the provision of information proves to be impossible or would involve a disproportionate effort.
b) Right of access and rectification
The data subjects have a right to access and rectify their personal data, which they can exercise with us. In this respect, the data subjects may obtain confirmation as to whether or not personal data is being processed, and, where that is the case, access to that personal data:
Data subjects may ask us, as the case may be, to rectify or complete their personal data that is inaccurate, incomplete, equivocal or expired.
Any request for exercising the right of access and rectification must be made in writing by sending a letter together with a copy of an identity document.
c) Right to erasure or right to be forgotten
Data subjects may ask us to erase their personal data where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- The data subject withdraws his or her consent;
- The data subject objects to the processing of his or her personal data;
- The processing of personal data does not comply with the provisions of the applicable legislation and regulations.
However, data subjects are informed that the exercise of this right will not be possible when the retention of their personal data is necessary for compliance with statutory or regulatory provisions and in particular for exercising the right of freedom of expression and information, or for the establishment, exercise or defence of legal claims.
Storage period and restriction
We undertake that we will not keep personal data longer than necessary other than to fulfil the purposes for which the data is stored or no longer than the period provided for by the regulations relating to the protection of personal data.
Framework for transfers outside the European Union
The personal data that data subjects in the territory of the EU have transmitted to US in accordance with the agreed purposes may be transferred to countries inside the European Union or outside the European Union.
- As part of our security measures, WE use video surveillance systems in designated places in and around the Property.
- Data subjects are informed that these images are recorded and stored and that they may lead to the identification of the filmed persons either by the systems implemented or by the authorized persons having access to the images.
Consent for the collection of personal data
- I agree to the use of my last name, first name, and e-mail address by the Property and its affiliates to send me newsletters about their activities.
- Mandatory information is marked with an asterisk. If I refuse to communicate this information, I won’t receive the newsletters.
- My data is stored if I have not withdrawn my consent and is intended for the services of Properties.
- I have been informed that I have the rights to information, access, rectification, erasure, restriction of processing and data portability.
- I have authority to bind my Party, who consent to the processing of their personal data.
I consent to the collection of my personal data in line with this Data Protection Policy, the GDPR and the Data Protection Act (2019).
In case any provision in the agreement shall be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby and such provision shall be ineffective only to the extent of such invalidity, illegality or unenforceability.
You have read and fully understand the terms and conditions as set out above with which you have acquainted yourself and the implications thereof and acknowledge that you are bound thereby without reserve.