THE RITZ HOTEL (LONDON) LIMITED PRIVACY POLICY
1. Introduction
The Ritz London is one of the most iconic hotels in the world. As part of our commitment to excellence, we process a variety of data about identifiable individuals, including:
- Guests and customers
- Users of our websites
- Current, past, and prospective employees
- Other stakeholders
If you wish to contact us at any time regarding how we use your data, please contact our DPO at [email protected]
This Privacy Policy applies to all systems, people, and processes that constitute the organisation’s information systems, including those of directors, employees, suppliers, and other third parties with access to The Ritz London systems.
This notice outlines our steps to keep your private data safe and comply with all current legislation.
2. Definitions
Below are some important definitions:
Personal data
Any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Data Subject
The identified or identifiable living individual to whom personal data relates.
Controller
A person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Only controllers need to pay the data protection fee.
Processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller
Processing
In relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction).
Data Protection Officer
Under the GDPR, some organisations need to appoint a Data Protection Officer (DPO) who is responsible for informing them of and advising them about their data protection obligations and monitoring their compliance with them.
3. Who is the Data Controller
The Ritz Hotel (London) Ltd is the data controller with respect to your personal data. We are registered with the Information Commissioner’s Office (ICO), as is our appointed Data Protection Officer (DPO).
The controls we have in place apply to all our systems, people and processes that constitute The Ritz London’s information systems. This also includes our directors, employees, suppliers and other third parties who have access to our systems and process information on our behalf.
4. How do we get the information, and why do we have it?
The majority of the personal information we process is in relation to marketing. As a hospitality business, The Ritz Hotel London wants to inform guests of the wonderful offers and events occurring at the hotel.
We also share and receive personal information from trusted hospitality agencies that we work with.
We have a legitimate interest in sharing this information for the benefit of our guests and our business.
Where we have obtained consent to process personal data, that individual can remove that consent at any time. This can be done by contacting the hotel via email at [email protected]
5. Principles
The Data Protection Act 2018 controls how we use data. The UK General Data Protection Regulation sits alongside the Data Protection Act and outlines the framework to which organisations have to adhere to be in compliance. There are seven principles that we must, and do apply to our controlling and processing of data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
6. Individual rights
The Ritz London takes individuals’ privacy extremely seriously. We make every attempt to comply with the UK GDPR and the ICO guidance on individuals’ rights, namely:
- Right to be informed.
How do we use your data - Right to access
How you can access your data through a Subject Access Request - Right to rectification
Ensuring the information we hold is correct and updated - Right to erasure
Also known as the ‘right to be forgotten’ - Right to restrict processing
Requesting that your personal data be restricted or suppressed - Right to data portability
Allowing individuals to obtain and reuse their personal data across different services - Right to object
An individual’s absolute right to stop their data from being used for direct marketing. In other cases, we may continue to process if we have a compelling reason to do so. - Rights related to automated decision-making, including profiling
We can only carry out this type of decision-making when:- Necessary to enter into or perform a contract
- Authorised by the domestic law applicable to ourselves
- Based on an individual’s consent
7. CCTV and Video Surveillance
As an iconic hotel, and with an eclectic array of guests and visitors, The Ritz London deploys a CCTV system for the security and safety of our guests and employees.
Our system is licenced with the ICO, and we adhere strongly to their guidance on its use. We do not use facial recognition, body-worn cameras or ANPR. Access to footage is strictly controlled, and the system logs all usage and downloads of footage.
8. Direct Marketing and Privacy and Electronic Communications
The Ritz London uses direct marketing to ensure our guests are kept up to date with news and offers. We use legitimate interest as a lawful basis for sending communications to our guests.
We collect personal information from various sources, including our reservations database and trade shows. This information is collected to provide information on our products and services to business and leisure clients and to communicate updates and offers. Our lawful bases for processing your data include consent, contractual necessity, legal obligations, and legitimate interests, ensuring your rights and freedoms are respected.
We may share your information with systems that allow us to fulfil your reservation, such as sending out confirmation and post-stay emails, guest questionnaires, restaurant order information, and transferring your booking details from online travel agent websites into The Ritz London’s property management system. Any personal data that is shared will only be with companies that have appropriate safeguards in place to protect your data.
If you have provided consent for specific processing activities, you may withdraw it at any time by contacting us at [email protected] or using the unsubscribe links in our emails. Once you withdraw consent, we will stop processing your information unless we have a valid, lawful or contractual basis to continue.
9. Information Security
We ensure that the personal information we hold is secured by appropriate technical and organisational security measures. In the unlikely event of a data breach. We will notify you immediately where there is a likelihood it may impact you.
We will also inform the Information Commissioner’s Office (ICO) of any reportable breach immediately, in line with our statutory duty. We have procedures and processes in place to ensure we protect your information, and our employees receive regular training in the security and handling of your personal data.
10 How we store your personal information
We protect your personal information using a variety of different methods.
Personal data is stored in secure environments with restricted access to authorised personnel. Access is granted using role-based permissions configured using “least privilege access” methodology. Multi-factor authentication (MFA) has been implemented where applicable. Personal data in transit is always encrypted using strong cryptography (for example AES-256 GCM) and sensitive personal data at rest is also encrypted using strong cryptography.
Regular data backups are taken, encrypted using strong cryptography and stored in secure environments with restricted access to authorised personnel. Retentions periods are set in accordance with the business data activities processing policy. When personal information has reached the end of its retention period it is automatically purged. Any systems used for storing personal information are securely erased before being disposed of or recycled.
We are required by law to store some types of data for statutory reasons, including:
- Financial records
- Human resources/employee records
- Guest records
We also hold marketing data, where the person has opted in directly or via a third party, for legitimate business purposes.
Other types of data we hold auto-purge after prescribed periods of time include:
- Access control data
- CCTV footage
11. How to request information
If you wish to request information regarding your personal data, please contact the Ritz Data Protection Officer via email at:
DPO at [email protected]
They will then forward a Data Subject Access Request (DSAR) for you to lay out your particular request. Subject to confirmation of identity, we will reply within the prescribed time. This would normally be within 30 days of the original request, but may in more complicated requests, extend to 60 days.
12. How to complain
If you have any concerns about our use of your personal information, you can make a complaint to our Data Protection Officer at:
DPO at [email protected]
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Last updated: 1st March 2024