PRIVACY NOTICE Protecting the security and privacy of your personal data is important to Grand Hotel Kempinski Vilnius ("we"; “our”; "us"). Therefore, we process personal data in compliance with applicable laws on data protection and data security, in particular the General Data Protection Regulation (“GDPR”), as outlined below. This Privacy Notice (“Notice”) tells you about the information we collect and process about you when you visit our spa regardless of whether you are a spa member of Kempinski The Spa (“Spa Member”) or daily visitor without membership of Kempinski The Spa (“Daily Visitor”, both referred to as “Guests”). Where necessary in the context of this Notice, we distinguish between Spa Members respectively Daily Visitors hereafter.
1 WHAT PERSONAL INFORMATION MIGHT WE PROCESS ABOUT YOU? In the context of your relationship with us, we may process the following categories of personal data of current and future Guests: • Contact information, i.e. full name, email address, telephone number; • Spa preferences, i.e. information you expressly provide to us in relation to the spa treatment, such as pressure of massage (light, medium, strong) or massage focus areas; • Information on booked spa services, i.e. date and type of treatment. In addition, if you become a Spa Member, we may also process the following categories of personal data about you: • Personal details, such as date of birth, nationality, occupation, residential ad-dress; • Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information. In some cases, the provision of at least some of your personal information is a requirement necessary to enter into a contract. Therefore, if you refuse to share such personal data, we may not be able to provide the spa services you request.
2 WHY DO WE PROCESS YOUR PERSONAL INFORMATION? We may process your Guest`s personal data for the following purposes: • Communicating with you about our services, e.g. by responding to inquiries or requests or providing you with information about the spa; • Planning, performing and managing the contractual relationship with you regardless of whether you are a Spa Member or Daily Visitor; e.g. by performing specific treatments in line with your preferences, processing payments, performing accounting, auditing, billing and collection activities; • Ensuring compliance with legal obligations (such as record keeping obligations); and • Solving disputes (for which we e.g. document your treatments), enforce our contractual agreements and to establish, exercise or defend legal claims. In addition, we may process Guest´s personal data to manage the relationship and in particular to accommodate Guest´s preferences in case Guests visit any other Kempinski The Spa facilities worldwide.
3 WHAT IS THE LEGAL BASIS FOR OUR PROCESSING OF YOUR DATA? It is necessary to process this personal data for the purposes listed in section 2 above. Unless expressly stated otherwise, when we collect personal data from you, the legal basis for the processing of your personal data is: • Art. 6 para 1 b) GDPR, if we process the data in connection with the contract with you; • Art. 6 para 1 f) GDPR, if we process the data to enable our business and pursue our legitimate interests. Our legitimate interest is to communicate with you about our services or to respond to your queries or requests and to efficiently perform or manage our relationship with you; • Art. 6 para 1 c) GDPR, if we process the data to comply with legal obligations we are subject to. We will only send you relevant and personalized marketing communications, if you have consented to receiving such communication. You have the right to withdraw your consent at any time. You can withdraw your consent by reaching out to us under the contact details provided in section 9 below. In the case of electronic direct marketing emails, there are also instructions in the bottom of the communication as to how you can be removed from our lists.
4 UNDER WHAT CIRCUMSTANCES WILL WE TRANSFER YOUR PERSONAL INFORMATION, ALSO OUTSIDE THE EU/EEA? We may transfer Guest´s personal data to: • third parties which provide IT services to us and which process such data only for the purpose of such services (e.g., hosting or IT maintenance and support services); and • courts, arbitration bodies, law enforcement authorities, regulators or attorneys if necessary to comply with the law or for the establishment, exercise or defense of rights or legal claims. In addition, we may transfer Guest´s personal data to other Kempinski The Spa facilities at other hotels to accommodate Guest´s preferences in case Guests visit any other Kempinski The Spa facilities: a list of all Kempinski The Spa facilities is available here. In some cases, we will be transferring personal information to countries outside the European Economic Area (“EEA”). Such transfers will only happen for the specific purposes mentioned above under section 2 above, and we will always ensure that appropriate safeguards are in place for such transfer. Where your personal information you send us is transferred by us or our service provider(s) outside the EEA, and where this is a country which is not subject to an adequacy decision by the EU Commission, we protect your privacy adequately by entering into EU approved contractual clauses with service providers operating outside the EEA, by ensuring our service provider(s) are registered with the EU-US Privacy Shield or a service provider’s Processor Binding Corporate Rules. For further information, including obtaining a copy of the documents used to protect your information, please contact us as described in section 9 below.
5 FOR HOW LONG WILL WE RETAIN YOUR PERSONAL INFORMATION? Unless indicated otherwise at the time of the collection of your personal data (e.g. within a form completed by you), we erase your personal data if the retention of that personal data is no longer necessary (i) for the purposes for which they were collected or otherwise processed, or (ii) to comply with legal obligations (such as retention obligations under tax or commercial laws).
6 WHAT ARE OUR SECURITY MEASURES? We will implement security measures to protect your personal data against manipulation, loss, destruction, and against unauthorised access. We continuously revise our security procedure based on the newest, technological developments. In practice, it is not possible to provide 100 % security, and therefore we cannot guarantee that the information is protected completely against anyone who will succeed in circumventing the security measures and gain access to the data. Thus, you provide your data information at your own responsibility.
7 WHAT ARE YOUR RIGHTS? You may have the right to access your personal data and to obtain a copy of your personal data (Art. 15 GDPR); to correct, delete or restrict (stop any active) processing of your personal data (Art. 16- 18 GDPR); and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format, and to ask us to share (port) this data to another controller (Art. 20 GDPR). In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing - Art. 21 GDPR). Where we have asked for your consent, you may withdraw consent at any time. If you ask to withdraw your consent to us processing your data, this will not affect any processing which has already taken place at that time. These rights may be limited under the GDPR, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. To exercise any of the above mentioned rights, you can get in touch with us using the details set out in section 9 below. When addressing us, please always provide your name, address and/or email address as well as detailed information about the change you require.
8 UPDATES TO THIS DOCUMENT This Notice may be updated periodically. We will update the date at the bottom of its last page accordingly and encourage you to check for changes that we have made. Please ask for the newest version of this Notice by using the contact details below. On some occasions, we may also actively advise you of specific data handling activities or significant changes to this Notice, as required by applicable law.
9 CONTACT US AND YOUR RIGHTS OF COMPLAINT The data controller for your personal data will be Grand Hotel Kempinski Vilnius. If you have questions about this Notice or wish to contact us for any reason in relation to our personal data processing, please contact us anytime at [email protected] If you have a concern about the way we handle your personal data you have the right to complain to the Data Protection Authority of your habitual residence, place of work or place of the alleged infringement. A list and contact details of local data protection authorities is available here. This Privacy Notice was last updated on 1 October 2018