CHINA ADDENDUM TO THE GLOBAL HOTEL ALLIANCE - PRIVACY POLICY
This China Addendum to the Global Hotel Alliance - Privacy Policy ("Addendum") is a part of the Global Hotel Alliance - Privacy Policy ("Privacy Policy") and should be read in conjunction with it and can be found here.
Please get in touch with us using the information in the "HOW TO CONTACT US" section below if you have any questions about the Privacy Policy or this Addendum.
1. ABOUT THIS ADDENDUM
Protecting your Personal Information is very important to GHA, and this Addendum describes the practices that we follow as a Personal Information Processor to Process Personal Information that is protected by the PIPL. Specifically, this Addendum applies to any activity where we Process the Personal Information of a natural person within China or where we Process the Personal Information of a natural person outside China under the following circumstances:
- where the purpose of the activity is to provide a product or service to a natural person located within China;
- where the purpose of the activity is to analyse or assess the behaviour of a natural person located within China; or
- any other circumstance as provided by law or administrative regulations.
This Addendum describes:
- definitions;
- how we collect and Process your Personal Information;
- transfers of Personal Information;
- your rights; and
- how to contact us.
If the terms of the Privacy Policy and this Addendum conflict in relation to Personal Information protected by the PIPL, this Addendum prevails.
2. DEFINITIONS
In this Addendum, we use some special words and phrases. The following definitions apply to those special words and phrases:
"Anonymisation" refers to the process in which any Personal Information is Processed to the extent that it cannot identify a specific natural person and cannot be restored to its original state.
"China" for the purposes of this policy refers to mainland China only and does not refer to the Hong Kong Special Administrative Region, Macau Special Administrative Region, or Taiwan China.
"Controller" or "Personal Information Processor" refers to any organisation or individual that independently determines the purpose and method of Processing in their activities of Processing of Personal Information.
"Entrusted Processor" generally refers to any vendor or service provider we engage to Process Personal Information on our behalf under a contract that meets the requirements in Article 21 of the PIPL.
"GHA", "us", or "we" refers to GHA Loyalty DMCC, a legal entity with a place of business at 21st Floor, JBC5 Tower, Jumeirah Lake Towers, PO Box 487771 Dubai, United Arab Emirates.
"Overseas Recipient" refers to an organisation or individual located outside China that receives Personal Information from GHA.
"Personal Information", "Personal Data", or "Data" all bear the same meaning for the purposes of this Addendum and refer to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been Anonymised.
"PIPL" means the Personal Information Protection Law of the People's Republic of China.
"Processing", "Process", or "Processed" includes the collection, storage, use, editing, transmission, provision, disclosure, and deletion of Personal Information.
"Relevant Laws and Regulations" refers to the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Civil Code of the People's Republic of China, and other applicable laws and regulations of the People's Republic of China.
"SDK" refers to Software Development Kit, which is usually a software tool used to assist application development to realise specific functions of the application. Common SDK types include advertising, push, statistics, maps, third-party login, social payment, risk control, identity authorisation, framework, etc.
"Security Incident" refers to the unlawful or accidental destruction, alteration, loss, misuse, access, modification, or disclosure of Personal Information.
"Sensitive Personal Information" refers to Personal Information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any Personal Information of a minor under the age of 14.
"Sites" refers to zh.ghadiscovery.com, the GHA DISCOVERY mobile application, and other websites and applications operated by or on behalf of GHA.
3. HOW WE COLLECT AND PROCESS YOUR PERSONAL INFORMATION
We only Process your Personal Information if there is a legal basis. The legal bases we rely on to Process Personal Information may depend on the specific purposes we are trying to achieve. We typically rely on one or more of the following legal bases:
- where it is necessary for the conclusion or performance of a contract to which you are a contracting party;
- where it is necessary for performing a statutory responsibility or statutory obligation;
- where it is necessary for responding to a public health emergency or for protecting the life, health, or property safety of a natural person in the case of an emergency; and
- any other circumstance as provided by Relevant Laws and Regulations.
Where none of the above legal bases apply, we will seek your consent before Processing your Personal Information.
Types of Personal Information we collect
We collect the Personal Information from you as follows:
| Type of Personal Information | Personal Information Elements | Retention Period |
| Browsing the Sites | IP Address Internet Service Provider Login frequency Pages visited within the Sites Operating system Website or mobile apps from which an accessing system reaches Sites* Internet browser | 6 Months |
| Contacting us | Personal Information you voluntarily provide when you send us an enquiry or support request via email* Records of your communications with us* | Indefinitely until deletion is requested |
| Surveys | Survey feedback* | 1 年 |
| GHA DISCOVERY 会员注册信息 | Member number Email address Name Phone number Date of birth Preferred communication methods Language preference Preferences and interests Physical address Member password* | Indefinitely until deletion is requested |
| GHA DISCOVERY 预订信息 | Hotel booked Booking, Arrival and Departure Date Number of room occupants (Adults, Children) Room category booked Price | Indefinitely until deletion is requested |
| GHA DISCOVERY 旅行购买信息 | Billing address of credit cards used to purchase travel* Credit card information, including card number, card type, cardholder name, and expiration date* | 1 年 |
| Cookies | Cookies* | 1 Year |
We have marked Sensitive Personal Information that we Process with "*" for your reference. We need to Process your Sensitive Personal Information to achieve the purposes described below. Before we Process your Sensitive Personal Information, we will seek your separate consent in accordance with Relevant Laws and Regulations.
We do not collect Personal Information from minors under the age of 14. Please ensure that minors in your care do not send us their Personal Information without your consent. If we have received the Personal Information of any minor under the age of 14 in your care, you can get in touch with us using the information in the "HOW TO CONTACT US" section below to have such Personal Information deleted.
Our Processing purposes
We Process your Personal Information for the following purposes:
| 目的 | Types of Personal Information |
| 管理您的账户并计算 DISCOVERY 奖励金 (D$) | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information |
| 协助您规划和购买行程 | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information GHA DISCOVERY travel purchase information |
| 通知您旅行变更 | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information |
| 向您发送营销资讯或调查 | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information Any other information you may provide in response to the survey |
| 回复您的问题或建议 | GHA DISCOVERY Member registration information GHA DISCOVERY reservation information Any other information you may voluntarily provide |
| 改善我们网站的访问质量 | 有关您设备的 Cookie 信息和技术信息 |
| 修改或更新您的个人资料和偏好详细信息 | GHA DISCOVERY 会员注册信息 |
When you use our application and WeChat mini program, to ensure the normal, safe, and stable operation of related services and functions, we may seek the following device operating system permissions from you:
| Name of system permissions | Description | Purposes | Applicable platforms |
android.permission.ACCESS_NETWORK_STATE | View network status. | Allows an application to view the status of all networks. | Android |
android.permission.INTERNET | To perform network operations in your application. | Grant permission for your application to access the internet. | Android |
android.permission.ACCESS_FINE_LOCATION | Allows ask for foreground precise location access. Checks Accurate location. | Permits requesting foreground access to precise location. Verifies exact location. | Android |
android.permission.ACCESS_COARSE_LOCATION | Allows ask for foreground location access. Verifies zones geographical areas. | Allows location access. Confirms geographical zones. | Android |
android.permission.WRITE_CALENDAR | Allows an application to write the user's calendar data. | To access Calendar, write permissions. | Android |
android.permission.READ_CALENDAR | Allows an application to read the user's calendar data. | Grants permission for an application to access and read the user's calendar data. | Android |
${applicationId}.permission.RSYS_SHOW_IAM | To show an In-App message or Rich Push message on Android || Responsys. | To receive notifications or messages within an app on their Android device. | Android |
${applicationId}.permission.PUSHIO_MESSAGE | To handle push notifications || Responsys. | To manage incoming push notifications effectively on their device. | Android |
${applicationId}.permission.C2D_MESSAGE | Prevents other applications from registering and receiving the application's messages || Responsys. | Ensures that only the intended application can receive and process its messages, blocking interference from other apps. | Android |
NSUserTrackingUsageDescription | A message that informs the user why an app is requesting permission to use data for tracking the user or the device. | To track user or device data. | IOS |
NSCalendarsUsageDescription | A message that tells people why the app is requesting access to their calendar data. | A notification that clarifies the reason for the app's request to access users' calendar data. | IOS |
NSCameraUsageDescription | A message that tells the user why the app is requesting access to the device’s camera. | To access device's camera. | IOS |
NSLocationAlwaysAndWhenInUseUsageDescription | A message that tells the user why the app is requesting access to the user’s location information at all times. | To have continuous access to the location information, when app is in use. | IOS |
NSLocationAlwaysUsageDescription | A message that tells the user why the app is requesting access to the user's location at all times. | To have continuous access to the location information, when app is in use and also not in use. | IOS |
NSLocationUsageDescription | A message that tells the user why the app is requesting access to the user’s location information. | App needs access to the user's location even when the app is not in use, for example, when the app is running in the background. | IOS |
NSLocationWhenInUseUsageDescription | A message that tells the user why the app is requesting access to the user’s location information while the app is running in the foreground. | Appears in the permission dialog that iOS presents to the user when they first launch the app and it requests permission to access their location. | IOS |
NSPhotoLibraryUsageDescription | A message that tells the user why the app is requesting access to the user’s photo library. | To access users' photo library. | IOS |
4. TRANSFERS OF PERSONAL INFORMATION
Entrusted Processing
In order to provide certain services to you, we may need to engage an Entrusted Processor to Process some of your Personal Information. We will enter into strict confidentiality agreements and include Personal Information protection clauses in other agreements with Entrusted Processors that require them to process and protect your Personal Information in accordance with our own high standards, this Addendum and Relevant Laws and Regulations.
Typical examples of Entrusted Processors that we engage with include:
- Professional advisors, such as lawyers, accountants, tax consultants, etc.;
- Technical experts, such as IT security specialists, etc.; and
- Others, such as marketing experts, surveyors, etc.
Domestic Transfers
| Recipient | Contact Details | Processing Purpose | Types of Personal Information | Methods of Processing |
| Capella Tufu Bay, Hainan | shushien.lee@capellahotelgroup.com | For the operation of the GHA DISCOVERY loyalty programme, including recognising and rewarding members for their stays at the hotel | Programme Participant details including travel booking information; identification data (name and surnames, NIF/ID Card, address, telephone, mail, signature, electronic signature); personal characteristics data (civil status, date of birth, place of birth, age, sex, nationality, native language); data relating to social circumstances (interests and lifestyle, membership in the loyalty program, membership number). | Automated and manual input and exchange of Personal Information, using digital systems to interface between the hotels and GHA Loyalty DMCC. |
| 上海建业里嘉佩乐酒店 | shushien.lee@capellahotelgroup.com | |||
| Kempinski Hotel Chongqing China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Changsha | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Chengdu China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Dalian China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Fuzhou | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Hangzhou China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Yinchuan China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Guiyang China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Nanjing China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Beijing Yansha Center | yannick.brandner@kempinski.com | |||
| Sunrise Kempinski Hotel Beijing | yannick.brandner@kempinski.com | |||
| Yanqi Hotel Beijing managed by Kempinski | yannick.brandner@kempinski.com | |||
| Yanqi Island Pavilion Beijing managed by Kempinski | yannick.brandner@kempinski.com | |||
| Grand Kempinski Hotel Shanghai China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Suzhou | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Shenzhen | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Jinan | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Taiyuan China | yannick.brandner@kempinski.com | |||
| Kempinski Hotel Xiamen China | yannick.brandner@kempinski.com | |||
| Kempinski Residences Guangzhou | yannick.brandner@kempinski.com | |||
| Kempinski The One Suites Hotel Shanghai Downtown | yannick.brandner@kempinski.com | |||
| NUO Hotel Beijing | yannick.brandner@kempinski.com | |||
| Beijing Hotel NUO | yannick.brandner@kempinski.com | |||
| Anantara Guiyang Resort | sutthinan_so@minor.com | |||
| Anantara Xishuangbanna Resort | sutthinan_so@minor.com | |||
| NH Zhengzhou Jinshui | sutthinan_so@minor.com | |||
| Oaks Chengdu at Cultural Heritage Park | sutthinan_so@minor.com | |||
| Tivoli Chengdu at Cultural Heritage Park | sutthinan_so@minor.com | |||
| Pan Pacific Ningbo | ng.hweene@pphg.com | |||
| Pan Pacific Beijing | ng.hweene@pphg.com | |||
| 苏州吴宫泛太平洋酒店 | ng.hweene@pphg.com | |||
| Pan Pacific Tianjin | ng.hweene@pphg.com | |||
| Pan Pacific Xiamen | ng.hweene@pphg.com | |||
| The Sukhothai Shanghai | alexander.schillinger@sukhothai.com | |||
| Gateway, Hong Kong | cheryl.chi@wharfhotels.com | |||
| Marco Polo Hongkong Hotel | cheryl.chi@wharfhotels.com | |||
| Marco Polo Jinjiang Hotel | cheryl.chi@wharfhotels.com | |||
| Prince, Hong Kong | cheryl.chi@wharfhotels.com | |||
| Marco Polo Parkside,Beijing | cheryl.chi@wharfhotels.com | |||
| Marco Polo Wuhan | cheryl.chi@wharfhotels.com | |||
| Marco Polo Xiamen | cheryl.chi@wharfhotels.com | |||
| Maqo 长沙(长沙玛珂酒店) | cheryl.chi@wharfhotels.com | |||
| Niccolo Chengdu | cheryl.chi@wharfhotels.com | |||
| Niccolo Chongqing | cheryl.chi@wharfhotels.com | |||
| Niccolo Changsha | cheryl.chi@wharfhotels.com | |||
| The Murray, Hong Kong, A Niccolo Hotel | cheryl.chi@wharfhotels.com | |||
| Niccolo Suzhou | cheryl.chi@wharfhotels.com |
In order to provide you with the best guest experience possible, we need to share your Personal Information with third parties within China. Please see the list below for more information about the third parties within China that may receive your Personal Information: Before we transfer your Personal Information or Sensitive Personal Information, we will seek your separate consent in accordance with Relevant Laws and Regulations.
Transfers outside China
As a result of the global nature of our business, Members' Personal Information will need to be transferred to Overseas Recipients. Please see the list below for more information about the Overseas Recipients that may receive your Personal Information:
| Overseas Recipient | Country | Contact Details | Processing Purpose | Types of Personal Information | Methods of Processing | Retention Period |
| Opera Reservation System | Frankfurt, Germany | https://www.oracle.com/legal/privacy/data-protection-authority/ | Reservations Management Platform | Complete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay history | Collection, Storage, User, Editing, Transmission, Deletion | Unlimited |
| Opera Customer Information Platform | Frankfurt, Germany | https://www.oracle.com/legal/privacy/data-protection-authority/ | Customer Information Platform | Complete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay history | Collection, Storage, User, Editing, Transmission, Provision and Deletion | Unlimited until the consent to participate at GHA DISCOVERY is withdrawn |
| Oracle Responsys | Amsterdam, Netherlands | https://www.oracle.com/legal/privacy/data-protection-authority/ | Campaign management platform | Complete set of customer information, including first name, last name, address information, mobile number, email, language and other preferences, stay history, behavioural and engagement data | Storage Use | Unlimited until the consent to participate at GHA DISCOVERY is withdrawn |
| FusionAuth | Frankfurt, Germany | Hosting of Authentication credentials | Email, Username, First Name, Last Name and Email | Collection, Storage, Use, Editing, Deletion | Unlimited until the consent to participate at GHA DISCOVERY is withdrawn |
If you would like to exercise any of your legal rights over your Personal Information in accordance with Relevant Laws and Regulations against any of the Overseas Recipients named above, please get in touch with us using the information in the "HOW TO CONTACT US" section below.
Before we transfer your Personal Information or Sensitive Personal Information outside China, we will seek your separate consent in accordance with Relevant Laws and Regulations.
SDKs
We may embed third-party SDKs in our website, app, and WeChat mini program to ensure their stable operation and provide services to you. Please see the list below for more information about the SDKs that we rely on:
| SDK Name | SDK Operator | Purpose of Processing Personal Information | Types of Personal Information Processed | SDK Operator Privacy Policy |
| Oracle Responsys Mobile SDK 6.56.1 | Oracle | Marketing Communication & Personalization | 1) Device Information 2) Location Data 3) User Profile Information 4) Behavioral Data 5) Transactional Data 6) Usage Analytics 7) Push Notification Tokens | |
| Singular Flutter SDK 1.2.1 | Singular | Campaign Optimization,User engagement analysis, Performance Tracking & Reporting | 1) Device Information 2) App Installation Data 3) App Usage Data 4) Attribution Data 5) Location Data 6) Advertising IDs | |
| Google Maps flutter SDK 2.7.0 | Google Maps Platform | For Location Services | 1) Device Information 2) Location Data 3) App Usage Analytics 4) Cookies & Third Party data | https://policies.google.com/privacy |
| Firebase core SDK 2.1.1 | To connect to multiple Firebase applications | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Crashlytics SDK 3.0.4 | For Crash Reports Analytics | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Messaging SDK 4.7.9 2:16 | For Push notification functionality | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Analytics SDK 10.7.4 | To process personal information for various purposes related to analytics and improving app performance | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Firebase Instance Id SDK 1.0.0 | Device Identification, analytics & push notification delivery | 1) Device Information 2) Location Data 3) Profile Information - Membership ID | ||
| Flutter map SDK 6.1.0 | Flutter ||Google | For Location Services in China | 1) Device Information 2) Location Data 3) Analytics | |
| Facebook SDK 0.18.3 | To Track Facebook events and user interaction | 1) Authentication and Account Management 2) Analytics and Advertising 3) App Usage Analytics | https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0 | |
| CookieYes Consent Management | CookieYes | Consent Collection, cookie management & User right management | 1) IP Address 2) Device information 3) Memebership ID 4) Consent Preferences 5) Google Analytics Data 6) Browser information | |
| Google maps | To provide mapping and location-based services | 1) Device Information 2) Location Data 3) App Usage Analytics 4) Cookies & Third Party data | https://policies.google.com/privacy | |
| Mapbox 2.8.2 | Mapbox | For Location Services | 1) Location 2) Device information 3) Memebership ID 4) Data Usuage | |
| Google Tag Manager | To Analyze tags and tracking deployed onGHA Web and App | 1) Location data 2) Device & Browser information 3) Membership ID 4) USer ID 5) Conversion events 6) IP information | ||
| Yieldify | Yieldify | Digital marketing and conversion optimization | 1) Location data 2) Device information 3) Membership ID 4) Behavioral Data 5) Cookies & Tracking | |
| Lytics Customer Data Platform (CDP) | Lytics | Personalized and targeted marketing experiences | 1) Location data 2) Device information 3) Membership ID 4) Behavioral Data 5) Cookies & Tracking 6) GA4 data | |
| Google Analytics 4 | To Analyze user interactions with GHA Web and App | 1) Location data 2) Device & Browser information 3) Membership ID 4) USer ID 5) Conversion events 6) IP information |
Corporate Transactions
If we need to transfer your Personal Information due to a merger, division, dissolution, bankruptcy or any other reason, we will notify you of the organisational or personal name and contact information of the receiving party.
Foreign Governments
We do not share Personal Information with foreign governments except as Relevant Laws and Regulations permit.
Other Transfers
Because unforeseen situations can occur, we may need to transfer Personal Information in other circumstances not described above. Where this occurs, we will obtain any consent required from you, as required by Relevant Laws and Regulations.
5. SECURITY
We will take reasonable steps to secure your Personal Information against Security Incidents in accordance with Relevant Laws and Regulations and as described in the Privacy Policy. If you have any concerns about the security of your Personal Information or believe that you have experienced a Security Incident, please get in touch with us using the information in the "HOW TO CONTACT US" section below.
6. YOUR RIGHTS
Under Relevant Laws and Regulations, you have the right to:
- require GHA to explain its Personal Information Processing rules;
- restrict or deny the Processing of your Personal Information;
- request access to and make copies of your Personal Information;
- require the transfer of your Personal Information to certain third parties;
- correct your Personal Information if it is incomplete or inaccurate;
- have your Personal Information deleted if:
- the purpose of Processing has been achieved or cannot be achieved;
- the Personal Information is no longer necessary to achieve the purpose of Processing;
- the provision of goods or services cease;
- the retention period expires;
- the Processing conducted by GHA violates Relevant Laws and Regulations or relevant agreements; and
- required to by Relevant Laws and Regulations in any other circumstances.
- withdraw consent, at any time, to any Personal Information Processing based on consent;
- demand an explanation of and refuse decisions made solely employing automated decision-making that have a material impact on your rights and interests; and
- refuse or restrict business marketing or push-based information delivery conducted by means of automated decision-making.
Please note that if you decide to withdraw your consent, such withdrawal will not affect the validity of any Personal Information Processing already carried out before the withdrawal based on your consent.
If you would like to exercise the rights described above, please get in touch with us using the information in the "HOW TO CONTACT US" section below. We will deal with your requests to exercise your rights under applicable Chinese laws or administrative regulations promptly and within 15 working days.
Additionally, if you use our mobile application, you can also correct, complete or delete some of your Personal Information by clicking on Account/ Profile in the app.
7. HOW TO CONTACT US
If you have any questions about anything described in the Privacy Policy or this Addendum, or you wish to exercise your rights under Relevant Laws and Regulations, you may get in touch with us using any of the contact details listed below:
GHA Loyalty DMCC (Head Office)
Head office: 21st Floor, JBC5 Tower, Jumeirah Lake Towers, PO Box 487771
阿联酋,迪拜
电话:+971 4 4214287
Email: contact@ghadiscovery.com (available in Chinese and English)
GHA Loyalty DMCC (Representative in China)
Email: contact@ghadiscovery.com (available in Chinese and English)
Prof. Dr. Rolf Lauser
Data Protection Officer
Dr.-Gerhard- Hanke-Weg 31, 85221 Dachau, Germany
电子邮件:data.privacy@gha.com