Data Privacy policy

CUSTOMER PERSONAL DATA PROTECTION CHARTER SPA.ACCOR.COM

1. THE ACCOR GROUP'S COMMITMENT TO PROTECTING PRIVACY

We consider you an important customer. Our first priority is to offer you exceptional stays and experiences throughout the world.

Your complete satisfaction and confidence in Accor is absolutely essential to us.

That's why, as part of our commitment to meeting your expectations, we have set up a customer personal data protection charter. This charter formalizes our commitments to you and describes how the Accor Group uses your personal data when you are using the Spa.accor.com website, accessible at the address www.spa.accor.com hereafter referred to as the "Website".

 

2. SCOPE OF APPLICATION

This charter describes how Accor processes your personal data in the context of the booking of a treatment in a hotel.Information on the processing of your personal data when you book a package stay in a hotel with one or more treatments is described in the personal data protection charter of the all.accor.com website.

In this charter, “Accor Group” means:

  • Accor SA, the Accor Group parent company, with registered offices at 82 rue Henri Farman, 92130 Issy-les-Moulineaux, France;

  • Subsidiary or affiliate companies of Accor SA involved in the businesses of the Accor Group

When booking a treatment in one of the proposed Establishments your personal data will be dealt with by Accor SA and the Establishment in question, both acting as Data Controllers for their own, separate, purposes. 

In summary:  

  • Accor SA will process your data because it manages the treatment reservation tool in the Establishments, which allows Accor SA to collect the necessary data to organize your visit to the establishments and to communicate this data to the concerned establishments.

  • Each establishment will process your data to manage its contractual relationship with you (invoicing, payment, etc.) and to prepare your visit.

3. ACCOR' TEN PRINCIPLES FOR PROTECTING YOUR PERSONAL DATA

In accordance with applicable regulations, in particular the European General Data Protection Regulation, we have instituted the following ten principles throughout the Accor Group:

  • Lawfulness: We use personal data only if:

- we obtain the consent of the person, OR

- it is necessary to do so for the performance of a contract to which the person is a party, OR

- it is necessary for compliance with a legal obligation, OR

- it is necessary in order to protect the vital interests of the person, OR

- we have a legitimate interest in using personal data and our usage does not adversely affect the persons’ rights

  • Fairness: We can explain why we need the personal data we collect.

  • Purpose limitation and data minimisation: We only use personal data that we really need. If the result can be achieved with less personal data, then we make sure we use the minimum data required.

  • Transparency: We inform people about the way we use their personal data

  • We facilitate the exercise of the people’s rights: access to their personal data, rectification and erasure of their personal data and the right to object to the use of their personal data

  • Storage limitation: We retain personal data for a limited period

  • We ensure the security of personal data, i.e. its integrity and confidentiality.

  • If a third party uses personal data, we make sure it has the capacity to protect that personal data.

  • If personal data is transferred outside Europe, we ensure this transfer is covered by specific legal tools.

  • If personal data is compromised (lost, stolen, damaged, unavailable…), we notify such breaches to the respective country’s responsible authority and to the person concerned, if the breach is likely to cause a high-risk in respect of the rights and freedoms of this person.

For any questions concerning the ten principles of Accor data protection policies, please contact the Data Privacy department whose details appear in the clause "Your rights".

4. WHAT PERSONAL DATA IS COLLECTED?

To allow us to offer you this treatment booking service, we need to collect the following information about you:

  • your contact details, i.e. your civility, your surname, first name, phone number email The provision of such information is mandatory in order for us to take your booking into account. Your booking will not be successful if any of these details are missing

  • your booking dates and times

  • the Establishment concerned by the reservation

  • the treatment selected

  • your preferences or particular requests that you may formulate during the course of your reservation

In order to satisfy your requests or to provide you with the appropriate service, we provide you with a free comment area during your booking process. This allows you to address your preferences or any other information you deem useful in relation to your reservation. In this respect, we invite you not to enter inappropriate, excessive, or insulting comments and not to enter any information that may include sensitive data within the meaning of Article 10 of GDPR. These sensitive data are in particular those:

  • revealing racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership,

  • concerning the health, life or sexual orientation of a natural person.

5. FOR WHAT PURPOSES IS YOUR DATA COLLECTED FOR AND HOW LONG DO WE RETAIN IT?

The table below sets out why we process your data, the lawful basis for the processing and the associated retention period:

5.1 - Purpose/Activity: Manage your treatments bookings with establishments, especially :

  • Allowing you to book a treatment;

  • Ensuring the transmission of your requests to the Establishments

  • Sending you booking confirmation emails and, if necessary, any email informing you about the status of your reservation (modification, cancellation etc.)

5.1.a- Legal basis for processing including legitimate interest : Performance of a contract with you

5.1.b- Retention period: 3 years from the date of your reservation

5.2 - Purpose/Activity: Improving Accor SA services, in particular :

  • Claim management

5.2.a- Legal basis for processing including legitimate interest : Necessary for our legitimate interests in improving our services

5.2.b- Retention period: 2 years from the date of closure of your file in case of a claim or a complaint

5.3 - Purpose/Activity: Complying to any applicable legislation (for example, storing of accounting documents), including :

Managing data subject’s requests regarding their personal data

5.3.a- Legal basis for processing including legitimate interest : Necessary to comply with a legal obligation

5.3.b- Retention period: As stipulated in the respective country’s legislation

 

6. CONDITIONS OF THIRD-PARTY ACCESS TO YOUR PERSONAL DATA

The Accor Group operates in many countries and we endeavour to provide you with the same services throughout the world. Thus, we have to share your personal data with internal and external recipients subject to the following conditions:

  • In order to offer you the best experience for your booking, we share your data with a number of authorised people and departments in the Accor Group.

  • Establishments and their service providers: data relating to your treatment booking and your specific requests are shared with the establishments concerned by your booking and their institute management solution providers.

  • With Accor service providers: your personal data may be transmitted to a service provider such as our hosting company.

  • With local authorities: We may be obliged to send your information to local authorities if this is required by law or as part of an inquiry. We will ensure that any such transfer is carried out in accordance with local regulations.

7. PROTECTION OF YOUR PERSONAL DATA DURING INTERNATIONAL TRANSFERS

For the purposes set out in clause 5 of this charter, we may transfer your personal data to internal or external recipients who may be in countries offering different levels of personal data protection.

Consequently, in addition to implementation of this charter, Accor employs appropriate measures to ensure secure transfer of your personal data to an Accor entity or to an external recipient located in a country offering a different level of privacy from that in the country where the personal data was collected.

Depending on your booking, your data may be transferred to an Establishment outside the European Union, as this is necessary for the execution of such booking.

8. DATA SECURITY

Accor SA takes appropriate technical and organizational measures, in accordance with applicable legal provisions (in particular: Art. 32 GDPR), to protect your personal data against illicit or accidental destruction, alteration or loss misuse and unauthorized access, modification or disclosure.

9. COOKIES

You have the right to obtain information about and access your personal data collected by Accor SA, subject to applicable legal provisions. Also, you have the right to have your personal data rectified, erased or have the processing of it restricted.

Furthermore, you have the right to data portability and to issue instructions on how your data is to be treated after your death (hopefully as late as possible!). 

In the event that you wish to exercise any of your above rights, please contact the Data Privacy department for the Accor Group directly by sending an email to  data.privacy.wellness@accor.com . For the purposes of confidentiality and personal data protection, we will need to check your identity in order to respond to your request. In case of reasonable doubts concerning your identity you may be asked to include a copy of an official piece of identification, such as an ID card or passport, along with your request. A black and white copy of the relevant page of your identity document is sufficient.All requests will receive a response as swiftly as possible.

You may also exercise your rights in respect of your personal data that is stored and processed by an Establishment as a data controller. For this, you must contact the Establishment directly. You will find all necessary information to contact an Establishment on www.spa.accor.com.

You also have the right to lodge a complaint with a  data protection authority . For your information, you can contact Accor data protection officer by writing to accorhotels.dpo(at)accor.com

11. UPDATES

We may modify this charter from time to time. Consequently, we recommend that you consult it regularly, particularly when making a treatment reservation at one of the Establishments.

 

12. QUESTIONS AND CONTACTS

For any questions concerning The Accor Group's personal data protection policy, please contact the Data Privacy department (See clause "Your rights").