Personal Data Policy on the processing of guest, customer and supplier data for Hotel Oasia
Hotel Oasia, CVR no. 33 05 52 26.
1. Data controller
Hotel Oasia is the data controller.
Hotel Oasia’s contact data:
Hotel Oasia handles all personal data in accordance with applicable personal data law. Hotel Oasia concludes agreements with guests, customers and suppliers on the delivery – purchase and sale – of various services and products.
When a guest/customer orders and purchases one or more of Hotel Oasia’s services, and, in connection with this purchase, provides their personal data to Hotel Oasia, the guest/customer/supplier also consents to the processing of their personal data by Hotel Oasia.
This same applies with regard to any personal data provided to Hotel Oasia by suppliers to Hotel Oasia in connection with the submission of offers or conclusion of agreements with Hotel Oasia.
2. Hotel Oasia’s collection of personal data
Personal data is collected by Hotel Oasia as follows:
- When a guest/customer – or a representative of theirs – chooses to obtain an offer and/or purchase services/products offered by Hotel Oasia, or when suppliers provide offers or sell products or services to Hotel Oasia.
- From the B2B market.
- Through browser cookies and web beacons.
- In connection with the use of Hotel Oasia’s digital services.
- Through participation in Hotel Oasia’s customer/loyalty programmes and through subscription to Hotel Oasia’s newsletter.
- From social media, advertising and analysis providers, and public records.
- Via video and television surveillance.
- When suppliers conclude agreements with Hotel Oasia or provide offers to Hotel Oasia.
The collection and processing of personal data, cf. the above, will always be performed in accordance with applicable personal data legislation.
Video surveillance installed at our entrances/exits, at cash registers and around particularly valuable equipment is part of criminal prevention activities and also serves to improve employees’ and guests’ sense of security.
3. Data collected by Hotel Oasia
Hotel Oasia collects the following personal data:
- Name, address, telephone number, e-mail address, date of birth and other common non-sensitive personal data.
- Payment card data – typically as a guarantee for a reservation and for payment for stays.
- Demographic data.
- Purchase history, including the use of Hotel Oasia apps and/or other digital services.
- The use of Hotel Oasia’s customer/loyalty programmes.
- Data from Hotel Oasia’s customer surveys.
- Data from competitions conducted by Hotel Oasia.
- Data from Hotel Oasia’s social media and other digital platforms belonging to Hotel Oasia.
- Browser data.
- Data about the guest’s/customer’s company and relevant contact persons.
- Data about suppliers’ companies and data about relevant and key contact persons, including key accounts.
A guest/customer/supplier can voluntarily and at their option provide Hotel Oasia with additional personal data that they deem of importance for Hotel Oasia’s servicing of them, or which they believe should be provided for safety/security reasons.
Examples of such data include:
- Special food preferences
- Other health or medical data
If a guest/customer/supplier voluntarily and at their option chooses to provide such data, Hotel Oasia perceives this as consent to register and store this sensitive data regarding them.
In addition to the data that Hotel Oasia receives directly from guests/customers/suppliers, Hotel Oasia will in some cases collect or process additional data received by Hotel Oasia from third parties, e.g. a travel agency, another intermediary or an employee of the company at which the data subject is employed.
In such cases, the applicable third party is obliged to inform the applicable guests/customers/suppliers of Hotel Oasia’s terms and conditions, and Hotel Oasia’s personal data policy. It is also the applicable third party’s responsibility to ensure the required legal basis for the collection and processing of the applicable data, including collection of required consent for the processing of any sensitive data.
4. Payment with payment cards
Hotel Oasia uses DIBS www.dibs.dk (Nets), for payments for redemption of payments with payment and credit cards. DIBS, and Hotel Oasia are all approved and certified by Pengeinstitutternes Betalingssystem (www.pbs.dk).
In connection with orders and bookings, Hotel Oasia stores the data provided by the guest/customer/supplier for a period of up to two years, after which the data is deleted.
Besides processing of the order, the data provided will only be used if, for example, a guest/customer/supplier contacts Hotel Oasia with a question, or if there are errors in the order.
5. What is the purpose of the collection and processing?
Hotel Oasia solely collects personal data necessary to fulfil the agreements concluded with guests/customers/suppliers on the delivery of services, e.g. an overnight stay or purchase/sale of products or services. The content of the individual agreement or the nature of the service determines which personal data is collected and processed by Hotel Oasia, as well as the purpose of the collection.
The purpose of collection and processing of personal data will primarily be:
- Processing of guest/customer booking and purchase of Hotel Oasia services.
- Processing of suppliers’ offers and the sale of products and services.
- Contact with the guest/customer before, during and after their stay.
- Fulfilment of the guest’s/customer’s request for an offer or purchase of services.
- Improvement and development of Hotel Oasia’s services.
- Adjustment of Hotel Oasia’s marketing and other communication.
- Analysis of guest/customer/supplier user behaviour and marketing to these groups.
- Adjustment of Hotel Oasia’s partners’ communication and marketing to guests/customers/suppliers.
- Administration of guest/customer/supplier relations with Hotel Oasia, including participation in Hotel Oasia’s customer/loyalty programme.
- Compliance with legal requirements, e.g. requirements to register overnight guests under the Danish Aliens Act and the Executive Order on Passports.
6. Legal basis for the processing
Hotel Oasia will typically process personal data because it is necessary to fulfil an agreement between Hotel Oasia and a guest/customer/supplier. For example, this may involve hotel stays, meetings and/or administration and fulfilment of cooperation and supplier agreements.
Furthermore, Hotel Oasia will process personal data in connection with booking prior to an overnight stay, meeting, event, conference, etc, and prior to the conclusion of supplier agreements.
In some cases, Hotel Oasia’s processing of personal data will occur in connection with Hotel Oasia pursuing a legitimate/objective interest that precedes the interests of the guest/customer/supplier (the data subject).
A legitimate interest may, for example, be the preparation of statistics, customer surveys, marketing and analysis of general guest/customer behaviour for the purpose of generally improving the guest/customer experience with Hotel Oasia and the quality of Hotel Oasia’s services and products.
If, in connection with a stay/visit at Hotel Oasia, a guest/customer provides data about special personal preferences or considerations, e.g. health data, disability, religious belief or the like, Hotel Oasia only uses this data to ensure consideration of the guest’s/customer’s personal preferences, health, etc.
In some cases, Hotel Oasia receives personal data from a third party, e.g. a travel agency, an agent or the like, including in connection with group bookings. In such cases, the applicable third party is required to inform the applicable guests/customers/suppliers of Hotel Oasia’s terms and conditions, and the contents of this personal data policy.
Furthermore, Hotel Oasia is required by law, cf. section 5 above, to register a range of data about overnight guests. This data must be stored for at least one year and not more than two years.
7. The data subject’s rights
Under the rules of the Personal Data Regulation, the data subjects (customers/guests/suppliers) have various rights.
- A data subject is entitled at all times to access the personal data processed by Hotel Oasia regarding the data subject.
- A data subject is entitled at all times to demand the correction and updating of personal data possessed by Hotel Oasia regarding the data subject.
- A data subject is entitled at all times to demand the deletion of personal data possessed by Hotel Oasia regarding the data subject. If a data subject requests deletion, all of the data that Hotel Oasia is not required by law to store will be deleted. In some cases, the deletion of the data subject’s data may mean that Hotel Oasia cannot fulfil concluded agreements or deliver certain services to the data subject.
If some of the data possessed by Hotel Oasia regarding the data subject is provided on the basis of the data subject’s consent, the data subject is at all times entitled to withdraw this consent, whereby the data will be deleted or no longer be used by Hotel Oasia. This does not apply to data which Hotel Oasia is required by law to store, cf. the section above.
However, the option of withdrawing consent, requesting deletion, etc may be limited as regards the protection of the privacy of others, trade secrets and intellectual property rights, and, for example, for the purpose of asserting potential legal claims.
The data subject may at all times request in writing that Hotel Oasia provide an overview and a copy of the personal data possessed by Hotel Oasia regarding the data subject.
A written request to this effect must be signed by the data subject and include the data subject’s name, address, telephone number and e-mail address.
The data subject may also contact Hotel Oasia if the data subject believes that their personal data is being processed in violation of the law or in violation of other legal obligations, e.g. this agreement/contract between the data subject and Hotel Oasia.
This written request must be sent to Hotel Oasia, see contact data in section 1 above.
After receipt of the data subject’s written request, Hotel Oasia will, as far as possible, send this data to the data subject’s mail address within one month.
If the data subject requests correction and/or deletion of their personal data, Hotel Oasia will assess whether the conditions for the request are met, and, if so, Hotel Oasia will perform changes or deletion as quickly as possible.
Hotel Oasia reserves the right to reject requests which are of a harassing repetitive nature, which require disproportionate technical measures (e.g. the development of a new IT system), which impact the protection of other data subjects’ personal data, or in other situations where it would be disproportionately resource-demanding or highly complicated to accommodate the request.
8. Security and sharing of personal data
Hotel Oasia protects the data subject’s personal data and has established guidelines protecting the data subject’s personal data from unauthorised disclosure and preventing unauthorised parties from gaining access to, or knowledge of, this data.
Only the persons/employees at Hotel Oasia who require the data subject’s personal data in connection with their job function have access to this data. Hotel Oasia performs continuous monitoring to prevent any unauthorised accessing of the data subjects’ personal data.
Hotel Oasia performs continuous backup of the registered personal data. In the event of a security breach where there is a high risk of abuse of the data subjects’ personal data, including, for example, identity theft, financial loss, damage to reputation or other forms of misuse, Hotel Oasia will notify the data subjects of the security breach as quickly as possible.
Hotel Oasia’s security procedures are continuously reviewed and updated in relation to technological developments.
Hotel Oasia utilises a number of external suppliers of IT services, IT systems, payment solutions, etc. Hotel Oasia regularly concludes data processor agreements with all of Hotel Oasia’s suppliers, ensuring that external data processors maintain a required and high level of protection of the data subjects’ personal data.
To fulfil agreements with the data subjects and to accommodate the needs of guests and customers, Hotel Oasia shares selected personal data with external suppliers, such as restaurants, hotels, etc. This is done either in connection with overbooking at the hotels, or, for example, the guest’s request for booking at a restaurant.
Hotel Oasia also shares and transfers the data subjects’ personal data internally in the Group, including to affiliated companies. The purpose of this sharing is to give the guest/customer the best possible service, regardless of the hotel or division of Hotel Oasia with which the guest/customer is in contact.
In some cases, Hotel Oasia is required by law or by the order of a public authority to transfer personal data.
Hotel Oasia deletes your personal data when Hotel Oasia’s legal obligation ceases, or when the purpose of collecting and processing the data is no longer present. As a general rule, financial data is stored for five years, and other data for two years after the last visit.
Complaints regarding Hotel Oasia’s processing of personal data can be directed to the Danish Data Protection Agency, BORGERGADE 28, 5, DK-1300 COPENHAGEN K, DENMARK, TELEPHONE (+45) 3319 3200 – E-MAIL email@example.com
Changes and adjustments to this policy will be added on a continuous basis.