1. Basic Policy

Prince Hotels, Inc. and related group companies* (hereafter referred to as “the Group” which are listed at the end of this GDPR Privacy Policy (hereafter referred to collectively as “Privacy Policy”)), recognize that protecting the privacy of our customers and their personal information is the basis of the Group’s business and one of the Group’s social responsibilities. In order to responsibly protect our customers’ personal information, the Group has established the personal information protection policy set forth below. In this Privacy Policy the Group has established an in-house system and strategies for protecting personal information (hereafter referred to collectively as “Personal Information”) set forth in the General Data Protection Regulation (hereafter referred to as “GDPR”), which it is committed to implementing, maintaining, and continuously improving. The Group’s Personal Information protection system and activities are designed to comply with all relevant legislation and in-house rules, and to be worthy of our customers’ confidence.

2. Obtaining personal information from customers

2-1. Obtaining personal information
In the course of providing services to our customers, the Group may obtain from customers such Personal Information as their name, address, and contact information. When obtaining Personal Information from customers, only the necessary information will be obtained, and the purpose and extent of the utilization of the information will be clearly explained.

2-2. How information is obtained Personal Information is obtained by the following means in the course of customer transactions with the Group, related to Group facilities or products (such as accommodation, banquet, or bar/restaurant facilities, product sales, the provision/sale of amenities, the provision of services, and the holding of events) and other transactions. (1) Directly from the customer
By telephone, in writing, from business cards, verbally, or over the Internet (2) From a person duly authorized by the customer
Such authorized persons may include those authorized to make a reservation on behalf of a customer or to introduce a customer, travel agencies, and package tour companies. (3) From published information
Newspapers, Internet, telephone books, publications, and other written materials.

2-3. Types of personal information obtained by the Group The personal information obtained by the Group may include the following information: (1)Customer’s basic information (home address, name, gender, date of birth, email address, telephone number, facsimile number, mailing address, etc.)
(2)Customer’s additional information (occupation, place of work (company name, address, telephone number, post, position), date of marriage, family (name, relationship, birthdate), etc.)
(3)Payment information (credit card number, bank account, billing address, etc.)
(4)Service usage information (usage status of facilities, purchase status of goods, etc.)
(5)Contents of contact (email, input form of the website, facsimile, note made during a telephone call, letter, answer for surveys, etc.)
(6)Information obtained by the security system (security camera, card key, etc.)
(7)Information automatically obtained by websites of the Group (cookie, IP address, browser type, date and time of access, etc.)
(8)Matters included in the hotel register (home address, name, occupation, passport number, age, previous night’s accommodation, next destination, arrival date and time, departure date and time, name of guest rooms)
(9)Customer requirements regarding guest rooms, leisure activities, and other services, information required to fulfill special requirements
(10)Information required by administrative instructions, bylaws or ordinances.

2-4. Right to refuse to provide personal information The Group does not compel customers to provide Personal Information. At all times, the customer has the right to choose whether or not to provide Personal Information to the Group. However, in the event that a customer refuses to provide (1) his/her basic information, (3) payment information, and (8) matters included in the hotel register mentioned above in 2-3, it may not be possible to provide certain services, such as making reservations and using the hotel.

2-5. Obtaining information from minors The Group does not aim or intend to obtain Personal Information directly from minors. In the event that a minor provides the Group with Personal Information about the minor or the minor’s family without the agreement of the minor’s parents, please contact a Group representative. The Group will immediately cease use of the Personal Information and take any necessary action, including deletion of the Personal Information, in good faith. However, if a minor wishes to use the facilities of the Group, and provides Personal Information about himself/herself for that purpose, the Group shall handle said Personal Information in accordance with this Privacy Policy.

2-6. Sensitive Data The Group will not obtain customer’s Sensitive Data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership) and data related to criminal offences unless otherwise referred to in GDPR.

3．Consent

3-1. Consent The consent of the customer will, as a rule, be the legal basis of the processing of Personal Information by the Group (hereafter referred to as “Processing”). Necessity for the performance of a contract to which the customer is party to, necessity in order to take steps at the request of the customer prior to entering into a contract, necessity for the purposes of the legitimate interests pursued by the Group or by a third party, or necessity for compliance with a legal obligation to which the Group is subject will be the legal basis of Processing without such consent.

3-2. Withdrawal of consent Customers may withdraw his/her consent at any time. The withdrawal of consent will not affect the lawfulness of Processing based on consent before its withdrawal. The information subject may withdraw his/her consent by using the Group’s website form or by contacting a Group representative of Personal Information.

4. Use of customer Personal Information

4-1. Purposes for which Personal Information is used The Group uses customer’s Personal Information only for the purpose(s) and within the scope made clear to the customer. The Group makes absolutely no use of Personal Information for other purposes or beyond the indicated scope.

4-2. Types of Personal Information obtained by the Group and purposes of use The Personal Information obtained by the Group is used for the following purposes: (1) Making contact, shipment, and payment related to transactions regarding Group facilities such as hotels, restaurants, and leisure facilities, and Group’s goods, and other transactions. (2) Joining various Group membership organizations, managing membership information, providing membership service, etc. (3) Corresponding to inquiries and requirements made to Group (4) Providing email, mail, home delivery, telephone, facsimile, and other contact for guidance, advertising, or surveys regarding the operation of group facilities, tenants, and partners. (5) Ascertaining and analyzing services regarding facilities and goods of Group facilities, tenants, and partners for the purpose of improvement, development, and marketing, etc. of such services (6) Preparing and keeping the hotel register required by law. (7) Providing services from the Group based on individual customer requirements (8) Providing information related to products and services provided by the Group and trustworthy third parties (9) Improving Group services on the basis of customer needs The provision of various types of information in the above cases is by such means as direct contact with the customer, direct mailings, or email. When information is to be used for purposes other than the above, the purpose and limits of the proposed use are made clear to the customer prior to the acquisition or use of the personal information and is only obtained or used with the consent of the customer.

4-3. Use of cookies Cookies are a widely used technology on the Internet for identifying a customer’s computer. For purposes listed in 4-2, and also purposes of providing information appropriately and ensuring security at websites, and statistically analyzing maintenance management and usage status of websites, Group services may use information identifying the customer such as IP address, browser type, date and time of access, etc. combined with information on pages browsed by the customer, which is collected using cookies. Customers can disable cookies by changing their browser settings, but this may result in an inability to access some or all of the services provided on the website.

5. Provision to third parties and joint use of personal information

5-1. Limits to provision of information to third parties and joint use of information Unless referred to in GDPR, When providing customer's Personal Information to third parties or engaging in the joint use of such information, the Group will obtain consent of the customer. In this case, the Group will considerate the choice of above mentioned third parties and joint users, and require them to manage the above mentioned information appropriately by complying with GDPR etc. as if it were the Group.

5-2. Monitoring of subcontractors When using customer’s Personal Information, the Group may subcontract such information to a third party to the extent of legitimate use. The Group will require subcontractors to strictly manage Personal Information as if it were the Group, and ensure necessary and appropriate monitoring of subcontractors, And where using Personal Information, the Group will comply with the security of such information by entering into a contract which includes matters which must be stated in accordance to GDPR with subcontractors.

5-3. Scope and purposes of joint use of Personal Information The Group may jointly use Personal Information with Group companies and other companies within the approved scope of use. As a rule, jointly used Personal Information includes the following: (1) Customer’s basic information (home address, name, gender, date of birth, email address, telephone number, facsimile number, mailing address etc.)
(2) Customer’s additional information (occupation, place of work (company name, address, telephone number, post, position), date of marriage, family (name, relationship, birthdate) etc.)
(3) Payment information (credit card number, bank account, billing address etc.)
(4) Service usage information (usage status of facilities, purchase status of goods etc.)
(5) Contents of contact (email, input form of the website, facsimile, note made during a telephone call, letter, answer for surveys etc.)
(6) Information obtained by the security system (security camera, card key etc.)
(7) Information automatically obtained by websites of the Group (cookie, IP address, browser type, date and time of access etc.)
(8) Matters included in the hotel register (home address, name, occupation, passport number, age, previous night’s accommodation, next destination, arrival date and time, departure date and time, name of guest rooms) (9) Customer requirements regarding guest rooms, leisure activities, and other services, information required to fulfill special requirements
(10) Information required by administrative instructions, bylaws or ordinances.

5-4. Subconractors and joint users (1) When subcontracting the Processing of Personal Information wholly or partly, such subcontractor (2) Partners and subcontractors of business which provides goods and service, etc. to customers such as accommodation, food and drink, bridal work, leisure activity, and massage, etc. (3) Management companies of facilities, equipment, and system, and cooperative companies and tenants and lessees of Group facilities (4) Travel agencies, tourism industries, event planning companies, in-house agents, carriers and other clients of relevant business (5) Enterprises and professionals which gives professional advice regarding management and operation, etc. (6) Other clients, partners, and mediators of the Group (7) When jointly using Personal Information, joint user of such information (8) Each Group company (9) When providing Personal Information based on law, etc., the recipient of such information

6. Handling of personal information

6-1. Maintenance of accurate Personal Information The Group employs appropriate measures to ensure that customer Personal Information is kept accurate and up-to-date.

6-2. Storage period of Personal Information The Group will only store the Personal Information for the period necessary for the achievement of the purpose of use, and within a reasonable period after the expiration of the storage period, safely erase or anonymize the Personal Information.

6-3. Automated means The Group will not make decisions only on automated means such as profiling of Personal Information.

6-4. Customers' rights to the Personal Information Customers have the following rights based on GDPR, etc. Customers may exercise such rights by using the Group's website form or contacting a Group representative of Personal Information. In cases where a customer exercises such rights, except on exceptions stated in GDPR, etc., the Group will conduct an identity verification, and as a rule, contact such customer within one month after receiving the request. (1) Right of access
Right to obtain confirmation as to whether or not his/her Personal Information are being processed, and, where that is the case, access to such Personal Information and additional information added thereto
(2) Right to rectification
Right to request rectification of his/her inaccurate Personal Information
(3) Right to erasure
Right to request a erasure regarding the use of Personal Information in certain cases
(4) Right to restrict the use
Right to request a restriction regarding the use of Personal Information in certain cases
(5) Right to lodge a complaint
Right to lodge a complaint regarding the use of customer's Personal Information based on Legitimate interests pursued by the Group or by a third party
(6) Right to data portability
Right to receive Personal Information concerning him/her, which he/she has provided to the Group, in a structured, commonly used and machine-readable format and the right to transmit such information to another controller without hindrance from the Group.

6-5. Lodging a complaint with supervisory authorities Customers may lodge a complaint with a country, territory, international organization, or other supervisory authorities regarding the Processing by the Group of his/her Personal Information.

7. Transfers of Personal Information to third countries

When the transfer of Personal Information is necessary for the performance of a contract between the customer and the Group or the implementation of pre-contractual measures taken at the customer's request, the Group may transfer Personal Information obtained within the EU to Singapore, Thailand, or Japan. In case of transfer to a country which lacks an adequacy decision by the European Commission, the Group will take measures of the standard data protection to lawfully transfer customer's Personal Information.

8. Secure management of Personal Information

8-1. Compliance with relevant legislation, regulations, and guidelines The Group complies with theGDPR as well as other relevant laws, regulations, and industry guidelines.

8-2. Security measures The Group makes every effort to protect customer Personal Information with preventive and security measures to protect against unauthorized access, loss, destruction, tampering, and leaks.

8-3. Organizational system The Group has an organizational system in place for the protection of Personal Information within the Group, which includes a Personal Information Protection Officer for the Group as a whole and a Personal Information Management Officer for each division. The system also includes an audit department for the implementation of internal audits.

8-4. In-house rules for the handling and management of personal information The Group has established rules for the handling of Personal Information, to ensure that standards for the appropriate acquisition, maintenance, use, and disposal of Personal Information are established and adhered to. The Group has also defined a code of conduct and concrete rules for the activities of those handling Personal Information, to prevent unauthorized access, loss, destruction, tampering and leaking of Personal Information.

8-5. In-house training The Group implements staff training in relation to the protection of Personal Information and works to protect Personal Information by ensuring that the content of the training is thoroughly understood throughout the Group.

8-6. Continuous review of in-house rules relating to the handling and management of personal information The Group continually reviews and improves its rules for the handling of Personal Information and the organizational system for implementing those rules, to ensure that their implementation continues to be effective and appropriate.

9. Revision and publication of this policy

This Personal Information Protection Policy is subject to revision at any time to respond to revisions and changes in related laws and regulations and to social needs related to Personal Information. Any revisions are published on this website without delay and the most recent revision date is clearly shown.

Contact for inquiries and complaints

The Group has established a center for responding to customer inquiries and complaints about the personal information obtained and held by the Group. This center responds conscientiously, efficiently, and in the appropriate scope to such inquiries/complaints after confirming the identity of the customer or the customer’s representative. Depending on the request, the response may require several days.

Prince Hotels Personal Information Center
Email address: privacy@princehotels.co.jp

Masahiko Koyama, President, Prince Hotels, Inc.

Enacted: November 1 , 2018

Group companies are as follows:
SEIBU SINGAPORE PTE LTD
PRINCE HOTELS (THAILAND) CO., LTD.
PRINCE HOTELS USA, INC.
TOKYO BAY SHIOMI HOTELMANAGEMENT, INC.