Data Protection Policy
YAMAGATA DESIGN RESORT Co. Ltd, as represented in the European Union (the “EU”) by YAMAGATA DESIGN RESORT Co. Ltd. (“YDRHTL”, “us”, “we”, “our”) attaches great importance to the protection of privacy.
It commits to protect the information about all individuals located in the EU (referred to as “personal data”), both when they reserve rooms at our SHONAI HOTEL SUIDEN TERRASSE (the “Hotel”) via our website or otherwise and as hotel guests and to only process it in accordance with the provisions below, the EU General Data Protection Regulation 2016/679 of 27 April 2016 (“GDPR”) and other applicable rules regarding the protection of personal data.
As part of our commitment to protect your personal data, this Data Protection Policy explains:
which personal data we collect and process about you; why and how YDRHTL collects and processes your personal data, for how long and on which legal basis; who has access to your personal data and where; our role as the legal entity deciding about the processing of your personal data (referred to as “controller”); and what your rights and our obligations are in relation to such processing.
1 What type of personal data do we collect and process?
We collect and process the following personal data about you:
identification information (e.g. name, gender, company name, email address, home/company address, fixed and mobile phone number, date and place of birth, picture, nationality, passport and visa information); the information relating to your booking for and stay at the Hotel (e.g. dates of arrival and departure, number of guests and affiliations, goods and services ordered during your stay, any special requests, observations about your service preferences including room and vacation preferences and more generally, any communications you have with us); the payment information (e.g. payment method, credit card number and account details); any information necessary to fulfil special requests (e.g. dietary requirements, health condition for which specific accommodation needs to be arranged, shuttle reservation); any marketing related information (e.g. results of surveys, information included in answers to our promotional offers); and any information provided by third parties with whom we do business such as travel agents or booking intermediaries (e.g. the time and location of order).
Through our website, we also collect and process:
electronic identification data (e.g. user account and password, device identifier and IP address); technical information collected by cookies (e.g. type and version of browser and operating system, the type of device connected, information regarding the pages visited, the information researched, the time spent on our website, the time when and area/country from which the website is accessed, the number of users on the website at any given time, the ratio of users leaving the website without conducting a registration and other statistics regarding the browsing experience on our website); and information regarding your preferences on our website.
This information may either be directly provided by you, by the legal entity for whom you work (e.g. if your employer reserve a room for you) or by a third party making the reservation for you (e.g. your local travel agent or online travel agents such as Booking.com or Expedia).
To the extent authorised by law, we may also process so-called sensitive data, such as health related data stemming from dietary or disability related requirements. YDRHTL will only do so as strictly required to satisfy your specific request and only with your prior consent. In such case, the data will be accessed and processed solely under the responsibility of a representative of YDRHTL who is subject to a statutory or contractual obligation of confidentiality.
Whenever personal data about you is collected (e.g. through the use of a standard form on our website), we will indicate whether the provision of such data is mandatory (e.g. with an asterisk) and the consequences of your refusal to provide the requested personal data.
2 On which legal basis and for which purposes do we process personal data?
2.1 Legal basis for the processing
We only process your personal data provided:
such processing is necessary to comply with our legal or regulatory obligations; or such processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request; or we have obtained your prior consent; or such processing is necessary to protect your vital interest; or such processing is necessary for the legitimate interest of NREHTL to the extent it is not overridden by your own interest or fundamental rights and freedom.
In relation to the processing of your personal data, our legitimate interests are: to benefit from cost-effective services (e.g. using platforms operated by third party suppliers); to prevent fraud or criminal activity, misuses of our website as well as the security of our IT systems, architecture and networks; and to meet our corporate and social responsibility objectives.
2.2 Purposes of the processing of your personal data
We process your personal data for specific purposes and only to the extent relevant to achieve these purposes. In particular, we process your personal data for the following purposes.
to manage our customers; to implement tasks in relation to your reservation and the corresponding preparation of your stay at the Hotel and provide you with a better or more personalized level of services; to provide and charge for hotel accommodation and other goods and services and facilitate services on your behalf, such as restaurant and transportation services; to fulfil contractual obligations to you or anyone involved in the process of making your travel arrangements (e.g. travel agents, group travel organizers or your employer) and vendors (e.g. credit card companies, airline operators and third party loyalty programs); to provide for the safety and security of staff, guests and other visitors; to manage our IT resources, such as infrastructure management & business continuity; to manage our archiving and records; to track our activities (measuring sales, number of calls, visits to our website, etc.); to improve the browsing experience on our website; for invoicing purposes; to improve our existing services (or those under development) by means of customer and non-customer surveys, statistics and testing; to preserve our economic interests; to reply to any official request from a public or judicial authority in compliance with legal requirements; more generally, to comply with our legal, accounting and tax obligations in relation to your reservation and stay at the Hotel; to periodically send promotional emails about our products, special offers and information which you may find interesting, using the email address which you have provided (if any); and to carry out mergers and acquisitions and other investments or divestments involving YDRHTL or the Hotel.
3 Who has access to personal data and with whom are they shared?
3.1 Within our group
We may transfer personal data to affiliated companies of YDRHTL. Such affiliated companies may either act as another independent controller or process your personal data on our behalf and upon our request (thereby acting as processor). In all cases, the personal data will be processed only for the purposes set out in Section 2.2.
3.2 Outside our group
We may also transfer personal data to third parties, acting as processors, to achieve the purposes listed in Section 2.2 on our behalf, to the extent they need it to carry out the instructions we have given to them. We do not transfer personal data to these third parties for commercial use.
Such third parties include our (IT) systems, cloud service, data centre and database providers, website providers and consultants relevant to our business activities.
As processors, these third parties must enter into an agreement with us to process your personal data in accordance with the GDPR prior to having access to your personal data.
Where required, we may also transfer your personal data to:
any third party to whom we contractually assign or novate any of our rights or obligations related to the processing of your personal data; and any national or international public or judicial authority, where we are required to do so by applicable law or regulation or at their request, in compliance with law,
both categories of recipients above acting as controllers.
3.3 Transfers outside the European Economic Area
The personal data transferred within or outside our group, as set out in Sections 3.1 and 3.2, will be processed in countries outside the European Economic Area ("EEA") (i.e. the EU Member States plus Iceland, Liechtenstein and Norway). In particular, your personal data will be transferred to Japan and may be transferred to other countries where the recipients listed above in Sections 3.1 and 3.2 are located.
If your personal data is transferred outside the EEA to a country that has not been recognised by the EU Commission as offering an adequate level of protection for personal data, we will put in place the legally required safeguards or rely on the relevant legal derogations to ensure such transfer is carried out in compliance with the applicable law.
Such safeguards may include the entry into the standard contractual clauses as approved by the EU Commission prior to such transfer to ensure the required level of protection for the transferred personal data.
You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below.
4 How long do we store your data?
We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected and to comply with our legal and regulatory obligations, after which your personal data will be promptly removed from our systems. Notwithstanding the above, whenever your personal data is processed in the context of a dispute, it will not be deleted until (i) an amicable settlement has been reached, (ii) a decision in last resort has been rendered and enforced or (iii) the claim becomes time barred.
We use third-party analytics cookies (i.e. cookies tracking our website’s statistics) for the purposes of identifying and recording which pages of the website you access, collecting the information detailed in Section 1 and improving your browsing experience on the website.
Data collected through cookies will remain on our system for maximum of 3years from the last use of the website by a given user and will be removed from the system thereafter.
For more information as to how to manage cookies on your device, please consult the Help function of your browser or visit http://www.aboutcookies.org, which contains comprehensive information on how to manage cookies on a wide variety of browsers (link is external).
5 What are your rights and how can you exercise them?
5.1 Your rights
Within the limits and under the conditions set forth in the law, you have the following rights:
to access your personal data as processed by us and obtain a copy thereof; to request any correction or update thereof; to request the erasure of your personal data; to request the restriction of the processing of your personal data; to withdraw your consent where YDRHTL based its processing of your personal data on your consent (without such withdrawal affecting the lawfulness of prior processing); to object to the processing of your personal data; to request the portability of your personal data (i.e. to obtain the personal data you have provided to YDRHTL in a structured, commonly used and machine-readable format and/or to request the transmission of such personal data to a third party, subject to compliance with your own confidentiality obligations).
5.2 Exercising your rights
To exercise the above rights, you may send a request by email to firstname.lastname@example.org, with a scan/copy of your identity card or passport for identification purpose. We will respond in compliance with applicable law.
If you are not satisfied with how YDRHTL processes your personal data, please let us know and we will investigate your concern.
You also have the right to make a complaint to the competent data protection authority.
6 Update of this Policy
This policy may be subject to amendments. Any future changes or additions to the processing of your personal data as described in this policy will be communicated to you through an appropriate channel, depending on how we normally communicate with you.