We hereby inform you of how we process your personal data, pursuant to Articles 13 and 14 of EU Regulation dated April 27, 2016 No. 679 (“General Data Protection Regulation” or “GDPR”) and other applicable law.
ROSEWOOD HOTELS AND RESORTS NETHERLANDS B.V (“Rosewood”, “we”, “our”, “us”) is a controller of your personal data. Rosewood manages ROSEWOOD CASTIGLION DEL BOSCO HOTEL (the “Hotel”) on behalf of CASTIGLION DEL BOSCO HOTEL S.R.L., the owner of the Hotel (“Owner”).
Whenever Owner collects information from you and processes it for its own purposes, Owner is also a controller of your personal data. The use of your information by Owner will be governed by its own privacy notices, if and to the extent not already covered under this Notice.
1. Personal Data: Use, Purpose and Legal Basis
Rosewood collects certain information from you in order to complete your reservation/check-in, and provide you with goods and services you request, including your contact details, financial banking details, and your travel information (length of stay, nationality, passport information, visa, etc.), images through video surveillance systems. We also collect your personal data to provide you with quality service during your stay such as your contact details to communicate with you, your profile or image, and other information you provide to us such as your room preferences, special requests, dietary preferences, event details or in connection with on-property services, such as concierge services, health clubs, spas, wellness and fitness centers or other activities, including handling of your application for membership in wellness and fitness centers. Also in order to provide you with quality service and based upon our legitimate interests to constantly improve the quality of our service, Rosewood may retain certain documents (including guest comment cards or e-mails) that you send us before, during or following your stay. To further personalize your experience, we may collect special categories of personal data (if any), such as your health-related data, religious belief, with your explicit consent.
More specifically, Rosewood will process your personal data for the following purposes and based on the following legal basis:
a) Performance of hotel reception services; management of information relating to your stay at the Hotel and visits at the Hotel’s wellness and fitness center, including correspondence, telephone calls and messages directed to you, according to the instructions you will provide to us. To protect your privacy, we will not disclose your stay at the Hotel to any third party, unless you indicate otherwise. The legal basis for this processing is the contract to which you are party.
b) Retain certain information and preferences regarding your stay at the Hotel in order to personalize your experience at all Rosewood member hotels; the legal basis for this processing is Rosewood’s legitimate interests in providing you with a personalized experience. Currently Rosewood does not collect any special categories of personal data, except when you visit the Hotel’s wellness and fitness center as referred in Paragraph (d). If we have collected any special categories of personal data from you before, the legal basis was your consent.
c) Marketing of Rosewood products and services and promotional activities of Rosewood, our affiliates and partners. The legal basis for this processing is either your consent or legitimate interests in marketing our services to you.
d) Provision of the services offered by the Hotel’s wellness and fitness center; in order to further personalize your experience and to protect your health, special categories of personal data relating to your physical condition and your state of health (e.g., medical conditions and allergies) may be processed. The legal basis for this processing is your consent. Such consent will be collected separately at the wellness and fitness center.
When Owner collects information from you, Owner may process your personal data for the following purposes and based on the following legal basis:
e) Fulfilment of law requirements (including the obligation provided for by article 109 of R.D. 18.6.1931 No. 773, which requires the registration and communication to the Police of the details of the guests of the Hotel), including all applicable administrative, accounting and tax obligations. The legal basis for this data processing is the need to comply with legal obligations applicable to Owner.
f) Marketing and promotional activities of the Hotel by Owner (currently, the Hotel is operated by Rosewood and might in the future be operated by another party). The legal basis for this processing is your consent.
g) In furtherance of the Owner’s legitimate interest to ensure your safety and security as well as the safety and security of the Hotel’s employees and the Hotel property, the Hotel uses a video surveillance system in its lobby and other common areas in the Hotel. Images collected from the Hotel’s surveillance feeds are stored only for a limited period of time, subject to legal requirements to retain data (including statutory retention periods), upon which they are deleted.
Providing your personal data for the purposes referred to in Paragraphs (a) and (e) above is required by law or in accordance with a contract to which you are a party. As such, failure to provide such data will prevent Rosewood and Owner from performing its contract and provide you with the services.
Providing your personal data for the purposes referred to in Paragraphs (b) and (d) above (if and to the extent special categories of personal data (such as health data) is concerned), Paragraphs (c) and (f) above is optional and based on your consent. Alternatively, Paragraph (b) and (c) is based upon the legitimate interests of Rosewood when it is processing ordinary types of personal data, and failure to provide such data will not affect your stay at the Hotel. If you give your consent to such processing, we remind you that you have the right to revoke such consent at any time.
Images collected for the purposes referred to in Paragraph (g) is based on the legitimate interest of the Owner and data are kept anonymized unless an incident or complaint has been established.
2. Your Travel Companions
You are responsible for delivering a copy of this Notice to your travel companions, on our behalf, and for obtaining the consent of your travel companions, on our behalf, when providing their personal data to us (if applicable). For minors, you represent and warrant that you have the legal authority to provide us their personal data.
3. Sharing Your Personal Data and International Transfers
4. Retention of personal data
In accordance with the principles of proportionality and necessity, your personal data will not be retained for a period longer than the time necessary to achieve the purposes for which data are collected, subject to legal requirements to retain data (including statutory retention periods).
Your personal data that we process based upon your consent, including your consent into marketing activities or your consent into processing special categories of personal data (if any), can generally be used for the purposes of the consent and retained until your consent is revoked, unless there are other legal grounds for processing, such as legal requirements to retain data (including statutory retention periods).
Generally, we may also retain your personal data as long as necessary for the establishment, exercise or defense of legal claims. More detailed information can be communicated upon request.
5. Your Rights
To the extent these rights are provided to you by law (including the GDPR, the UK Data Protection Act or other laws), you are entitled to obtain access to and information on the processing of your personal data, make use of your right to data portability and to have your personal data rectified or deleted or their processing restricted.
You may object to the processing of your personal data under certain circumstances, including objecting to processing your personal data when it is done based upon legitimate interests (e.g., sending you marketing related-materials or using your personal data contained in documents, such as guest comment cards or emails, that you send us for the purpose of personalizing our services to you).
If you no longer wish to receive any marketing-related materials, you may also opt-out by unsubscribing following the instructions included in any email or other marketing material you receive from us.
You may withdraw any consent to the processing of your personal data, including any marketing consent, at any time with future effect.
If you believe that your Personal Data is not being processed in accordance with the applicable law (including GDPR), you are also entitled to contact or lodge a complaint with the supervisory authority or seek other remedies under applicable law.
To fulfill your requests for exercising your rights under applicable law (including the GDPR or the CCPA), it may be necessary for us to verify your identity or authority to make the request and confirm the personal data relates to you.
For our guests who are California residents
If you are a California resident, the California Consumer Privacy Act (“CCPA”) provides you with specific rights regarding your personal information. You have the right to be informed of the categories of personal data that we collect about you, the categories of sources from which the personal data was collected, the business or commercial purposes for which the personal data is used, disclosed, or sold, and the categories of third parties with whom we share the personal information, as set forth in this Notice. You have the right to request that we disclose specific pieces of personal data we collected about you over the past (12) twelve months. You have the right to request that we delete any of your personal data that we collected from you and retained, subject to certain exceptions. You also have the right to opt out of the sale of your personal information. If you would like to exercise any of your above rights, please contact us as described below.
To fulfill your requests for exercising your rights, we verify your identity or authority to make the request and confirm the personal data relates to you, or others, if you are an Authorized Agent (see below). Accordingly, Rosewood will collect your name, e-mail address and phone number to verify your identity. Once we have verified your identity, we will respond to your request within 45 days, unless additional time is needed, in which case we will let you know.
You may also exercise your rights via an authorized agent (“Authorized Agent”). An Authorized Agent can be a third party that you authorize to act on your behalf, such as a third party with power of attorney. When an Authorized Agent is submitting a request on your behalf, we will require such Authorized Agent to provide evidence (e.g., a written permission, declaration or affidavit) demonstrating that they have authority to make the request on your behalf, and the Authorized Agent would have to verify their own identity directly with us.
Please note that if we cannot verify your identity, we are not obligated to provide you or your Authorized Agent information regarding your personal information.
6. Contact Us
If you wish to exercise any of your rights above, or if you have any questions concerning the content of this Notice or generally our data processing practices, or, you may:
We also wish to inform you that Owner has appointed a Data Protection Officer who can be contacted at the following email address: firstname.lastname@example.org.
Last Updated: 29 January 2021
Effective Date: 1 February 2021
Our privacy practices may be more or less limited in certain countries in which we operate to reflect local practices and legal requirements. We will specifically inform you, if this is the case.
1. What Information Does Rosewood Collect?
2. When is Your Personal Data Collected?
3. Why is Personal Data Used?
4. Do We Sell your Personal Data?
5. When and to Whom Do We Disclose Your Personal Data?
6. What Cookies and Other Technologies Do We Collect?
7. How Do We Protect Your Personal Data?
8. Third-Party Websites and Services
9. Cross-Border Data Transfers
10. How Long Do We Retain Your Personal Data?
11. How Can You Manage Your Preferences and Information?
12. What Are Your Rights and How To Exercise Your Rights?
13. What Information is Collected From Children?
15. How to Contact Us?
1. WHAT INFORMATION DOES ROSEWOOD COLLECT?
1.1 Personal Data from or about You
1.2 Sensitive Personal Data
From time to time, you may provide or we may collect what is considered sensitive personal information or “special categories of personal data” under applicable privacy laws (herein referred to as “Sensitive Personal Data”). For example, you may disclose your religious affiliation to us when you host or attend an event at one of our hotels or provide your health information or dietary restrictions so that we can accommodate you during your stay.
We only process Sensitive Personal Data if and to the extent permitted and required by applicable law or with your express consent. Unless otherwise required by applicable law, you are not required to provide us with any of your Sensitive Personal Data. Should you choose not to, your decision would not prevent you from using our Services.
2. WHEN IS YOUR PERSONAL DATA COLLECTED?
We collect Personal Data about you in a number of ways, including when you provide such data to us. This includes:
We collect Personal Data, including from other sources. This includes:
3. WHY IS PERSONAL DATA USED?
We use your Personal Data, both for business and commercial purposes as set forth below.
3.1 Performance of a Contract. We process your Personal Data in order to perform a contract with you, including to complete your reservation, provide you goods and services that you requested, or to inform Owners of your stay in order to render services to you while visiting a hotel or other property that we manage.
3.3 To Comply with Legal Obligations. We process your Personal Data where it is necessary to comply with legal obligations to which it may be bound. This includes complying with legal processes, responding to requests from public and government authorities around the world, and pursuing available remedies or limit damage we or other third parties may sustain.
3.4 With Your Consent. We process your Personal Data when we have your valid consent to do you, including to communicate (including by e-mail and SMS) with you during your stay, to send you promotional offers, newsletters, information on us, our Services, and other marketing communications in accordance with your preferences; and to process Sensitive Personal Data you may have provided us in connection with your stay; for example, any dietary restrictions or special accommodations for physical and medical conditions.
3.5 Vital Interest. In certain circumstances when it is not possible to obtain your consent, it may be necessary for us to process your Personal Data, including Sensitive Personal Data you provided through our Services, where it is in your vital interest or in the interest of others, for example in the event of a medical emergency.
4. DO WE SELL YOUR PERSONAL DATA?
5. WHEN AND TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?
In the preceding twelve (12) months, we have disclosed or shared your Personal Data described as follows:
5.1 To Owners, Hotels and Other Properties. The Personal Data you provide to us in connection with making a reservation, including your Contact Details, Demographic Data, Financial Details, and Guest Stay Information, is shared with the respective Owner and hotel or property for purposes of meeting your reservation request. After your stay, we retain your Personal Data, including the details of your stay and your preferences (e.g., room, type, interest, hobbies, amenities used) to provide you personalized service during your next stay, subject to your preferences.
5.3 Commercial Service Providers and Suppliers. We outsource certain functions and/or information to third parties that provide services to Rosewood such as Services hosting, data analysis, payment and credit card processing, order fulfilment, customer service, e-mail delivery, financial services companies, delivery services, advertising networks, and information technology. We may also share your Personal Data described above with third-party providers that provide services such as spa treatment, salons, and restaurants within our hotels or other properties, or event planners or organizers of any event you plan or host with us.
5.4 External Partners. We may share your Personal Data to other partners, consultants and advisors who render services to us, including financial institutions, external auditors, lawyers, and credit card issuers.
5.7 Co-Sponsors of Promotions and Sweepstakes. Your Personal Data, including your Contact Details or Feedback, may be shared with our affiliates or other unaffiliated business partners that serve as co-sponsors or third-party sponsors of promotions, sweepstakes, or other contests if you enter into one of these activities on our Services.
5.8 Social Media and Message Boards. If you connect to one of our social media pages, we may disclose your Personal Data including your Social Media Details to your friends associated with your social medial account, to other website users, and to your social media account provider, in connection with your social sharing activities. We may make reviews, message boards, blogs and other user-generated content available to users on our Services. Any information disclosed in these areas is public information and you should accordingly exercise caution when deciding to disclose your Personal Data in this context. We are not responsible for the privacy practices of other users including web operators to whom you provide information.
5.9 Business Transfers. From time to time, we may sell our business, hotels and other assets or may cease managing a hotel or property owned by an Owner. In those circumstances, we may include Personal Data collected about you, or control of that Personal Data, as a business asset in any such transfer. For example, if we cease to operate a hotel property we do not own, the Owner may continue to have and use your Personal Data for continued business purposes consistent with the hotel’s operations, including direct marketing. Additionally, we may disclose your Personal Data to a buyer or other successor in the event of a merger, sale or other transfer event, in which Personal Data held by us about our users is among the assets transferred.
5.10 Anonymized Data. We may share aggregated data with third parties collectively in an anonymous way, which does not reveal Personal Data.
6. WHAT COOKIES AND OTHER TECHNOLOGIES DO WE COLLECT?
6.1 Automatic Data Collection.. We may use automatic data collection technologies to collect certain statistical (non-personal) information about your equipment, browsing actions, and patterns, including (a) details of your visits to our Services, including traffic data and location data, date and time of access, frequency and other communication data; (b) information about your computer and internet connection, including your IP address, operating system, host domain, and browser type; and (c) details of referring websites actions, and patterns.
6.3 Social Media Plug-ins. One of the features of our Site is that it uses what are called social plugins (“plugins”) from the social networks Twitter, Facebook, YouTube, Pinterest, and Instagram. These plugins are indicated by the respective logo of the social network. When you access our Site, your browser establishes a direct connection with the servers of these social networks. The content of the plugin is transferred by the social network directly to your browser, which then integrates it into the Site.
6.4 Integration of the plugin causes Facebook, for example, to receive the information that you have loaded the corresponding page of our Site. If you are logged in with Facebook, it will be able to assign your visit to your Facebook account. Please note that an exchange of this information already takes place when you visit our Site, regardless of whether you interact with the plugin or not. If you interact with the plugins, such as by pressing the ‘Like’ button, the corresponding information is sent directly to Facebook by your browser and saved there. You can find information on the purpose and extent of data acquisition as well as how the data is processed further and used by the social networks, together with your rights and optional settings to protect your private sphere, in the data protection notes of the social networks.
6.6 Wi-Fi and Location-Based Services. In the course and for the purpose of providing Wi-Fi services at our hotels and other properties, we may collect device identifiers (such as your IP address, or other unique identifier). Based upon your consent, we also may collect information about the physical location on your device through use of the Wi-Fi services or other technologies to provide you with personalized location-based services, such as to customized offers and promotions or to find a hotel near you.
6.7 Do Not Track. Currently, we do not alter our data collection and use practices in response to Do Not Track signals.
7. HOW DO WE PROTECT PERSONAL DATA?
We maintain commercially reasonable security safeguards that are designed to protect the Personal Data we collect against unauthorized use, disclosure, alteration or destruction. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure and we cannot guarantee or warrant that your Personal Data is under absolute security with the existing security technology. Additionally, when requesting information or sending information or forms to us by e-mail, please be advised that e-mail communication to and from our Services are not secure unless clearly noted otherwise. This is a risk inherent in the use of e-mail.
8. THIRD-PARTY WEBSITES AND SERVICES
8.1 Our Services may contain links to, or have features that are hosted by, other third-party websites or services that are not owned or controlled by us. For example, we give you the opportunity to connect, link, or share our Services (and the content you access) via certain social media websites.
9. CROSS-BORDER DATA TRANSFERS
9.1 The Personal Data and other information that we collect from you will be transferred to, and stored at, a destination outside the EEA. It also may be processed by staff operating outside the EEA who work for us or other entities acting as data processors processing data on our behalf. This includes staff and providers engaged in, among other things, the fulfillment of your request or order and the provision of support services. More information on to whom your data is disclosed can be found in Section 5.
9.2 To comply with applicable data protection law, we have implemented international data transfer agreements on the basis of EU Standard Contractual Clauses in order to provide appropriate and suitable safeguards for Personal Data transferred to countries outside the EEA where an adequate level of protection is not already guaranteed. A redacted copy (removing commercial terms) can be obtained by contacting us at the contact details provided in Section 15 below.
10. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?
11. HOW CAN YOU MANAGE YOUR PREFERENCES AND INFORMATION?
11.1 Commercial E-mails. You may opt-out of receiving commercial e-mails from us by following the instructions contained in any of the commercial e-mails. Unsubscribing from one type of communication may not unsubscribe you from another type. Please note that even if you unsubscribe from commercial e-mail messages, we may still e-mail you non-commercial (transactional) e-mails related to your account and your transactions via the Services.
11.2 Owners (following termination or expiration of our management agreements) and third-party providers may use your Personal Data for marketing purposes. If you wish to opt-out of receiving offers directly Owners and third-party providers, you can follow the instructions in the e-mails that they send you.
11.3 EU Users and Commercial E-mails. If you are a user based in the EU, we only send you commercial e-mails when we have obtained your explicit prior consent, except where we have obtained your e-mail address in the course of a sale or negotiations for a sale of a product or service and where the commercial e-mails are only marketing similar products or services.
11.4 Text Messages and SMS. To opt out of text messages, reply STOP to the message you received or contact the hotel or property front desk to inform them you no longer wish to receive text messages.
11.5 Mobile Apps. You can control whether our Apps send you push notifications by change your notification settings on your mobile device.
11.6 Access and Connections to Social Media. If you registered with the Services through your social media account, or connected, linked, or shared your use of our Services via your social media profile, you can manage the permissions granted to such third-party social media services by accessing your user settings under your account. You also can remove our access to your social media account or otherwise control what information these third-party social media services share with us at any time by accessing the privacy settings in your social media account.
12. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE YOUR RIGHTS?
Under applicable law and regulations, you may, at any time, exercise certain rights, as described below:
12.1 For Residents in the European Union/European Economic Area
12.2 For California Residents
If you are a resident of California, California law provides you with specific rights regarding your Personal Data. These include:
12.3 For residents in other jurisdictions
Where permitted by applicable law, you may request access, correction and deletion of the Personal Data Rosewood has about you.
How to Exercise Your Rights
To exercise the rights described above, contact us as provided for in Section 15 below. Rosewood will respond to your request(s) as soon as reasonably practicable, but in any case, within the legally required period of time.
Your privacy and information security are important to us. For this reason, we verify your identity or authority to make the request and confirm the Personal Data relates to you, or others, if you are an authorized agent. Accordingly, Rosewood will collect your name, e-mail address and phone number to verify your identity. Upon receiving your request, we also contact you via email and/or other secured communication channel to verify your identity by asking you additional security questions in order to match to your identity with the data we maintain about you.
Please note that, if we cannot verify your identity, we are not obligated to provide you or your Authorized Agent information regarding your Personal Data.
For Your Security
Rosewood does not collect sensitive information, such as your full credit card details, social security or national identification number, to verify your identity. Please do not send Rosewood sensitive information and be aware of any phishing scams or fraudulent calls requesting such information from you.
While we maintain commercially reasonable safeguards to protect your Personal Data, no method of transmission is 100% secure and we do not guarantee or warrant that your Personal Data is under absolute security with the existing security technology.
Submitting Request via an Authorized Agent
You may also exercise your rights via an authorized agent (“Authorized Agent”).
An Authorized Agent can be a third party that you authorize to act on your behalf, such as a third party with power of attorney.
If you are a resident of California, an Authorized Agent can only be a person or a business entity that you authorize to act on your behalf to submit a verifiable consumer request related to your personal data.
When an Authorized Agent is submitting a request on your behalf, we will require such Authorized Agent to provide evidence of their entitlement, e.g., a written permission, declaration or affidavit demonstrating that they have authority to make the request on your behalf, and the Authorized Agent would have to verify their own identity directly with us.
Disclosure of Personal Data
Once we have verified you or your authorized agent’s identity, we will disclose the specific pieces of Personal Data we collected about you, which will be made in writing and delivered through your account with us, if you maintain such an account. If you do not maintain an account with Rosewood, we will provide such information by mail or electronically, at your option, in a readily useable format that allows you to more readily transmit the information from one entity to another entity.
13. WHAT INFORMATION IS COLLECTED FROM CHILDREN?
13.1 We have not designed the Services for, and do not intend for them to be used by, anyone under age 16. We do present information regarding our Rose Buds® program on our Services for the reference of adults that are interested in activities at our locations for children. Accordingly, the Services should not be used by anyone under age 16 without adult supervision. If you are under 16, please do not provide Personal Data of any kind whatsoever.
13.2 Should we inadvertently acquire Personal Data or other information from users under the age of 16, we will not knowingly provide this data to any third party for any purpose. If a child does provide us with Personal Data over Services, a parent or guardian of that child may contact us and upon notification, we will delete from our records any information collected from children under the age of 16.
HOW TO CONTACT US
Rosewood Hotel Group
Rosewood Hotel Group
You may also submit a request to exercise your rights by visiting <<Privacy Rights Request>>, where you will find more information on how to submit a request and how do we handle your request.