Napa Mermaid GDPR Outline
4 June 2018 v2
The Napa Mermaid Hotel & Suites Ltd. complies with the European Union’s General Data Protection Regulation (GDPR), which came into force in the European Union on May 25th, 2018. Additional information pertaining to your rights under GDPR can be found on the EU website.
In this section of our website, we explain in clear terms our responsibilities under GDPR, and how we collect, store and process your personal data.
The following definitions apply to this policy:
a. A “guest” is considered any customer or visitor to our hotel. A guest may stay overnight at our hotel, or may be a day visitor to our Spa, restaurant, pool or conference facilities.
b. “Personal data” comprises
“… any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Examples of personal data comprise:
· a name and surname;
· a home address;
· an email address such as firstname.lastname@example.org;
· an identification card number;
· location data (for example the location data function on a mobile phone)*;
· an Internet Protocol (IP) address;
· a cookie ID*;
· the advertising identifier of your phone;
· data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.”
c. The term “we” refers to the duly-employed management and staff of the Napa Mermaid Hotel & Suites Ltd, as well as to the legal entity that provides the hotel accommodation and related service to our guests.
d. The term “you” refers to individual hotel guests and visitors that use the accommodation, services and related facilities of the Napa Mermaid Hotel & Suites Ltd.
e. Travel Agents and Tour Operators refer to duly-registered and legally-operating companies that provide travel services, including hotel bookings as well as packages including hotel bookings, food and beverage packages, flights, transfers and related services. All travel agents and tour operators operating within the European Union are regulated by and comply with national and European law.
f. Online Travel Agents (OTAs) refers to online travel platforms such as Booking.com or Expedia.com, which offer travel services to their customers based mainly on service provision delivered over the internet. All OTAs operating within the European Union are regulated by and comply with national and European law.
1. Sources of Personal Data Collection
The Napa Mermaid Hotel & Suites Ltd. collects personal data from a number of sources:
a. From our commercial partners, including Travel Agents and Tour Operators such as Thomas Cook, TUI, Hotel Plan, FTI, ITS and Dertour that you have chosen to book your holiday with. These partners will communication your personal data to us for the purpose of arranging your accommodation with us.
b. From Online Travel Agents such as Booking.com or Expedia that you have used to reserve your accommodation at our hotel. These partners will communication your personal data to us for the purpose of arranging your accommodation with us.
c. From reservations you make directly with our hotel, either via our website, or via calls, emails, and faxes to our reservations team.
d. From our in-house internet access system, HotelFeedback, which is used to provide internet access.
e. From paper guest quality surveys, our Spa Medical form, and other registration forms provided on-site, where name and email registration is optional.
f. From optional requests you may provide us, where registration of personal data is required for third-party services such as restaurant reservations, excursions, car rental requests, airport transfer requests, event registrations, and related activities.
g. From emails, telephone calls, faxes or other messages you submit to us directly, either via electronic media, or by paper messages or notes left on site. This includes the submission of business cards.
h. From other information you may submit, for instance CVs for employment.
i. From social media platforms or applications where the visibility of personal data is an accepted mode of interaction.
We also collect guest data upon check-in (see below).
2. Types of Data Collected
The types of personal data collected and used includes:
a. Your personal identification, i.e. First and Last Name
b. Your date of birth, which is a mandatory legal requirement of registration
c. Your passport or ID number, which is a mandatory legal requirement of registration (in some cases, we may also collect paper copies of your documents)
d. Your credit card number, which is necessary for the financial guarantee of your stay (in some cases, we may make an imprint or paper copy of the credit card)
e. Your salutation (Mr., Ms. Mrs., Dr., etc)
f. Your personal address
g. Your personal communications data, e.g. telephone, fax, email address
h. Whether or not you have paid for breakfast or other services.
In some cases, you may declare a specific health issue or dietary condition, which is used to assure your safety during your stay with us. This is an optional process, not a mandatory one.
In some cases, we may collect your credit card data for use in paying for or guaranteeing your reservation. This may comprise a photocopy of your credit card, or the credit card number, expiration date and secret code, which may be added to your Guest File in our Central Reservation System. This is used to guarantee expenses that may be charged to your room.
If you visit our Spa, we will ask you to complete a Medical Disclosure form, which lists potential medical conditions that could affect your health during or following a spa treatment.
We note that the First Name, Last Name, Date of Birth, Passport and/or ID number and credit card information are all mandatory requirements based on Cypriot and EU law relating to hotel reservations and operations. We are obligated to collect and store this data.
Interaction with us on social media platforms may also temporarily reveal, or provide access to, additional forms of personal data, including the identity of your family members, pictures or images, preference and opinions, and other information. Please note that we do not store, process or use this information, but we may have access to it, as for instance we may be able to see your profile online, or you may send us a message via social media.
3. Storage of Personal Data
We store your personal data on the following applications:
a. On the Online Travel Agency platforms you may have used to make your reservation, e.g. Booking.com, Expedia.com. We have access to this data (but do not control it) in order to process the reservations made on third party platforms to our own central reservation system. If you wish to delete this data, please note that you will have to address your request to the Online Travel Agent you have used for the reservation.
b. On our Central Reservation System (CRS), which is used to manage occupancy in our hotel. Our CRS is also used as an accounting system.
c. On our online HotelFeedback application, which is used by guests to gain free access to Wi-Fi during your stay with us.
d. On our online Mailchimp application, which is used for periodic guest email communications.
e. On our Microsoft Outlook email client, in the case you have emailed us directly, or via an Online Travel Agency or other commercial partner or vendor.
f. On our computer hard drives, in case information such as a CV, motivation letter or other documents containing personal data are submitted.
g. On Social Media platforms such as Facebook.com, in case you have messaged us directly, or interacted with us in another way such that your personal information is stored or visible on our social media profile/s or accessible via these profiles.
h. On our paper-based Guest Registration Forms, which all guests must complete and sign at the Reception Desk in order to receive access to our hotel. (We usually request a single guest to complete this data, not all guests on a reservation).
i. In some cases, we will make paper-based photocopies of Guest passports or Identification documents to accompany our Guest Registration Forms.
j. On our paper-based Spa Medical Forms, which all Spa users must complete and sign, disclosing potential medical or health conditions.
k. On our paper-based Quality Survey forms, which are optional to complete.
4. Use of Data
The data we collect is used for the following main purposes:
a. To assure our legal compliance with the national and European laws and regulations affecting travel within Cyprus and the European Union. Specifically, this includes the Cyprus Hotel and Tourism Accommodation Law (versions 1969 – 2014 and future editions, as well as further instructions by the Cyprus Tourism Organisation for the management and administration of hotels.
b. To assure our legal compliance with nationalpublic safety and residential requirements established by the Cyprus Ministry of Interior, the Cyprus Police and other official regulators and authorities in Cyprus.
c. To assure our legal compliance with national accounting and financial standards established by the Cyprus Ministry of Finance, the Registrar of Companies, and other official regulators and authorities in Cyprus.
d. To assure our legal compliance with accommodation and service contracts signed with our commercial partners and suppliers (including Travel Agents, Tour Operators, and Online Travel Agencies) as well as with you, as our guest, directly.
e. To safeguard your health and safety in case you have specific dietary and health requirements that affect your stay with us, including your use of optional services such as our swimming pool, spa, hammam and other facilities and services.
f. To provide access to areas or services, e.g. the breakfast area, the spa, or a conference or event held within our hotel.
g. To continually improve our services, for instance through optional quality surveys in which we request your candid assessment of our hotel, facilities, services and performance.
h. To communicate with you regarding developments, news, events and offers relating to our hotel.
i. To inform commercial partners such as Travel Agents, Tour Operators and Online Tour Operators, for contractual issues which may arise during your stay with us.
j. To inform third party vendors and suppliers such as restaurants, excursion organizers, airport transfer firms and similar parties, for services that you may have contracted with them via our hotel.
k. To store employment requests, CVs, motivation letters and related documents relating to employment at our hotel.
5. DataTransfers to Third Parties
Please note that we will only use your data for our own purposes, including for the legal obligation we have to national authorities and commercial partners (suppliers) for the purpose of arranging and managing your stay. Thus:
a. Your personal data on your reservation may be communicated with the Cyprus Ministry of Interior and the Cyprus Tourism Organisation, in line with national law. We cannot alter this policy, which is a national requirement.
b. Your personal data on your reservation may be communicated with our commercial partners, comprising Travel Agencies, Tour Operators or Online Tour Operators, who have supplied us with this information to begin with. Circumstances under which we communicate this information includes in the case of complaints or disputes relating to services provided.
c. Your personal data may be communicated with third party commercial vendors of services such as airport transfers, restaurant reservations, car rental firms, or excursions, should you have requested such services via our Front Desk or other channel within our hotel, or on our hotel website or other affiliated service.
Please note that we cannot alter, authorize or manage your personal data when it is shared with these three categories of partners, nor can we accept any liability or responsibility for it.
Under no circumstances, however, shall we transfer or disseminate your personal data for any purpose not related to national requirements, commercial services you have initiated and requested, or communication initiated by our hotel which concerns the services and facilities offered by our hotel.
6. DataAccess, Encryption and Protection
We take measures to protect your personal data. These include:
a. Data held in our Central Reservation System is accessible only by authorized users logging in via an authorized account. Guest profiles cannot be exported.
b. Data held in third-party Central Reservation Systems, such as those maintained by Online Travel Agencies, Travel Agents or Tour Operators, is encrypted using SSL. Access is controlled to authorized users in our Reservations Department.
c. Data held in our email applications (MS Outlook) is available only to specific posts of our hotel, including Reservations and Front Office.
d. Data held in other online applications, notably Hotel Feedback or Mailchimp, is encrypted using SSL and accessible only to authorized users.
e. Paper data of sensitive guest information, including Reservation Forms, ID or passport copies and credit card authorization slips, is kept in hard copy in our Accounting Department. Access to all guest files of this type is restricted and kept in a locked area.
f. Paper data of optional guest information, such as quality surveys or Spa medical forms, is kept in a locked office, and the forms are disposed of after 2 years.
7. Storage Duration
We will store your personal data for the following duration:
a. National public security law obligates us to maintain a copy of your reservation data and signed forms at our hotel for a period of 7 years. In practice, we maintain this information indefinitely.
b. National public security law obligates us to maintain a copy of your accounting data and financial information, e.g. payment status and VAT invoice, at our hotel for a period of 7 years. In practice, we maintain this information indefinitely.
c. Any information submitted on non-legally-mandated paper-based forms is typically discarded within 2 years. This includes paper-based quality surveys or Spa registrations, but does not apply to the Reservation Forms presented at check-in.
d. Any personal information held via email request or other electronic registration is stored indefinitely. However, you have the option to unsubscribe or request deletion of this data.
e. Any information submitted via email or post relating to employment is stored indefinitely, as we hire seasonal staff each year.
f. Any non-material data, e.g. breakfast access lists, is disposed of immediately, e.g. within 24-48 hours of its use.
8. Your Access to Data
You may request access to your data under the European Union’s General Data Protection Regulation (GDPR). Please do this by requesting information on your data that we hold, to our Data Protection Officer:
Please allow up to 22 working days for a response.
Please note that we will request that you confirm your identity prior to releasing any data.