This policy relates to the collection, use and storage by InterContinental Bandung Dago Pakar of all personal data of our guests and any other third parties. Such third parties include potential guests, shareholders, franchisees, potential and existing hotel owners, people who enter our competitions or communicate with us via social media and all other people we interact with as part of our business activities.
The aim if this policy is to make sure that InterContinental Bandung Dago Pakar complies with applicable laws and regulations regarding how we manage personal data. These laws and regulations are known generally as data privacy or protection laws and regulations. The damage caused by breaching data privacy laws can be severe and, apart from the reputational damage to INTERCONTINENTAL BANDUNG DAGO PAKAR or IHG and its brands, can lead to heavy fines and (in some countries) criminal sanctions.
The following definitions are used:
Personal data: is any information relating to an identifiable living individual who can be identified from that data (or from that data combined with other data in our possession or that is likely to come into our possession). It includes, but is not limited to, name, address, email address, date of birth, credit or debit card number.
Sensitive persona data: is information concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life, criminal record and physical or mental health information. Information such as meal preference, disabled access requests or room occupancy should be considered sensitive personal data as it can indicate religious beliefs, health information or sexual life.
The IHG policy is to comply with all applicable data privacy laws and regulation.
All IHG employees and all IHG owned and managed hotels are required to comply with this policy which sets out the IHG “minimum standard”. Local laws or local IHG policies and procedures may however require a higher standard which must also be complied with.
Breach of the policy may lead to disciplinary procedures.
2.1 Collecting Personal Data
- Collect only the minimum personal data necessary for the spesific purpose that the individual has provided it
- Collect or retain sensitive personal data only to the extent necessary to comply with a spesific request of the individual (e.g., meal preference or disabled access request) or with the consent or the individual.
- Personal data should not be used for any purpose incompatible with the purpose it has been collected for, or which has not been notified in a Privacy Statement, without the consent of the individual.
2.2 Privacy Statement
Information about how IHG manages personal data (including how the data will be used and who it will be shared with) should be available to an individual when their personal data is collected (whether collected in person, on a paper or online form, over the telephone, or in video or audio recordings). In many cases, the IHG external privacy statement and policy (“Privacy Statement”), available at ihg.com, will be sufficient but any collection or use of personal data not covered by this Privacy Statement may require amendment of the Privacy Statement or creation of a project-spesific privacy disclosure. In particular, any proposed use of personal data which is likely to be unexpected should be clearly communicated at the point of collection, for instance (depending on how the data is being collected), by way of a statement in a paper pr online form or in a telephone script.
- All IHG branded corporate or hotel websites or mobile applications must contain a Privacy Statement. The Privacy Statement must generally compl with (and, in most cases, should be identical to) the IHG corporate Privacy Statement available at ichotelsgroup.com. If there is any inconsistency between the IHG corporate Privacy Statement and the way the personal data will be used, stored or transferred for a particular purpose, this must be clearly disclosed.
- Legal Team approval is required for any changes to any existing Privacy Statement or the creation of any new Privacy Statement.
- It is a legal requirement in some countries, and IHG best practice, to obtain consent form an individual before sending any marketing communications.
- All marketing communications must contain a clear, easy and free way for the individual to opt-out of further marketing communications, e.g., a clear unsubscribe button in an email (this includes individuals who have previously given consent to receive marketing communications). Some countries also require that individuals must be able to register their withdrawal of consent for marketing at any time, for instance, on a preference register or by making a written request.
- If an individual unsubscribe (in any matter) then their details should be suppressed as soon as possible so they are no longer contacted and so that IHG records show that they should not be contacted in the future.
- Anyone responsible for direct marketing must ensure that a process is in place to respond to “opt-out” requests. This process must be linked to the IHG central process for responding to “opt-out” requests as, depending on the request, the individual’s details may need to be suppressed from several or all marketing lists.
- Where consent is requred, a Privacy Statement (see above) should be available prior to the individual giving consent, so their consent is given on an informed basis.
- A record must be kept of whether consent has been obtained, including where it has been obtained over the phone or in person.
- The Legal Team should advise on consent requiremen
2.5 Transfer of Personal Data
- Personal data must never be sold to third parties.
- Personal data should not be provided to or accessed by any IHG AND INTERCONTINENTAL BANDUNG DAGO PAKAR colleague or any third party who is not authorized to receive or access it.
- If personal data is to be transferred to third parties in relation to services they are providing to us this must be covered in a written contract which must be reviewed by the Legal Team prior to signing.
- Personal data must be protected during trasfer in accordance with the IHG Information Security Standards applicable to ” restricted information”.
- You must get approval from the Legal Team before transferring personal data across any national border (i.e., between different countries) and outside IHG AND INTERCONTINENTAL BANDUNG DAGO PAKAR network.
- You must get approval from the Legal Team if you are setting up a new business process that will involve cross-border transfers of personal data even if the transfers will remain within the IHG corporate computer network.
2.6 Requests for Personal Data
- If law enforcement or government agencies request release of personal data, you should contact your local risk or security team promptly before disclosing any personal data. Require
- For all other requests, except when complying with legal requirements, you must obtain written authorization from an individual before providing their personal data in response to a request from anyone outside IHG, even if , for example , the person requesting the information claims to be a family member.
- In many countries people are legally entitled to know whether a company is holding their personal data, what that personal data is and what it is being used for. People may also ask for their personal data to be corrected, deleted or destroyed. There are deadlines for complying with these requests. Any such request must be notified to the Legal Team as soon as possible so that they can manage the response.
2.7 Security of Personal Data
- All personal data (in whatever form including electronic, audio, video and paper) must be protected in accordance with the IHG Information Security Standards applicable to “restricted information” which is the highest information security classification.
- If you think that personal data may have been lost or stolen (e.g., your laptop has been stolen or you have lost a portable storage device or hard-copy personal data) you must immediately notify the Legal Team.
- Personal data must not be sotred on laptops or removable storage devices unless it is encrypted.
2.8 Retention and Destruction
- Personal data should not be retained for longer than necessary for the purpose for which it was collected or to comply with legal requirements. Personal data should regularly be reviewed to assess whether the information is till needed. Information that is no longer needed for the purposes for which it was collected should be securely deleted or destroyed.
- Personal data must be destroyed in a manner reasonably intended to prevent the misappropriation or other unauthorized use of the information, for instance by shredding paper records containing personal data, using secure document disposal facilities or secure electronic destruction.
3. Related Policies and Guidance
IHG information Security Policy and Standards
If you are starting a new business activity that involves the collection or use of personal data, concerned that current business activities do not comply with this policy or have any other questions or concerns regarding this policy or data privacy, please contact the Legal Team. Contacts for the Legal Team can be found on Merlin on the Business Reputation and Responsibility Pages