Privacy Notice

If you stay with us, are interested in staying with us or are applying to work for us, one of our companies (Hotel Du Vin Trading Limited, Malmaison Hotel Du Vin Brand Services Limited, Malmaison Trading Limited or New Light Hotels Limited), acts as the "data controller" by deciding how and why to collect, use, keep and share your personal data.

We are a member of the Frasers Property Group. You can read our Group Privacy Notice at www.frasersproperty.com.

Personal data are any information that can directly or indirectly identify you. Special category data are any information about your biometrics, ethnic or racial origin, genetics, health, philosophical and religious beliefs, political opinions, sex life, sexual orientation and trade union membership.  Criminal conviction and offence data are any information about any criminal activity, allegations, investigations and proceedings that you may have been involved in.

If you stay with us or are interested staying with us, or use any of our services, we may collect, use, keep and share different kinds of data about you, including:

• Consultation data: Survey responses; 
• Contact data: Communication preferences, home or work address, landline and mobile telephone numbers, and email address, and signature;
• Financial data: Bank and building society account details, guest benefits and discounts, credit and debit card details, and insurance details;
• Health and wellbeing data: Accidents or medical emergencies, dietary requirements, disability, underlying medical conditions or status (for example, pregnancy) and weight;
• Identity data: Date of birth, name, national identity or passport number, photographs and signature;
• Marketing and publication data: Content for our communications including articles, blogs, speech transcripts and videos, and loyalty programmes, newsletters, offers and promotions;
• Monitoring data: Age, behaviour, CCTV images, entry to and exit from buildings and floors and rooms, gender, IP address, marital status, nationality, room numbers, and use of paid services; 
• Request, complaint and dispute data: Complaints, lost items, preferences regarding your stay, reservations, transport booking and wake up calls; and
• Right to drive data: Driving licence and vehicle ownership.

We may collect, use, keep and share different kinds of data about your emergency contacts, friends, next of kin and relatives, so that we can tell them if you have an accident or medical emergency, or they are staying with you, or they want to arrange a gift for you (for example, chocolates, champagne, flowers, reservation or room upgrade).

If you are applying to work for us, we may collect, use, keep and share different kinds of data about you, including:

• Consultation data: Survey responses; 
• Contact data: Communication preferences, home or work address, landline and mobile telephone numbers, and email address;
• Health and wellbeing data: Disability and underlying medical conditions or status;
• Identity data: Date of birth, name, occupation and signature;
• Monitoring data: Age, CCTV images, ethnic and racial origin, gender, immigration status, marital status, nationality, religion, and sexual orientation; 
• Recruitment and vetting data: Employment history and references, academic and professional qualifications, criminal convictions and offences, job applications and security questions and answers; and
• Right to drive data: Driving licence.

We may use different ways to collect your personal data, including:

• directly from you when you complete our forms, talk to or write to us; 
• indirectly from someone else or another organisation when you have asked them to share your personal data, such as your adviser, friend, lawyer, referee, recruitment agency, relative or travel agent; and 
• indirectly from someone else or another organisation when we ask them or they ask us, to share your personal data (please read "How do we share your personal data" for more details).

We can only use your personal data when we have a “basis”, including your consent, or it is necessary to give you a contract or to give you what we promised under that contract, or because a law tells us to do so, or to protect your or someone else's life, or it is necessary for a public or legitimate interest. We use your data for different reasons, depending upon your relationship with us and the type of that data.

We may share your personal data with organisations outside our Group in your country or abroad, who act as the "data processors" for your personal data to help us provide our services to you. This means that they process your personal data strictly on our behalf, under contract with us and under our instructions. They include:

• AirAngel Limited to provide you with Wi-fi (you can read their Privacy Notice at https://airangel.com);
• Amillan to provide you with a landline (you can read their Privacy Notice at amillan.co.uk);
• Chubb Limited for maintenance of our CCTV, which we use to prevent and detect crime, and to ensure your health and safety (you can read their Privacy Notice at chubbfs.com);
• Creventa Group Limited to help us to manage your food orders (you can read their Privacy Notice at https://creventa.com);
• CrowdStrike to protect our networks, and your personal data against unauthorised access or data leakage (you can read their Privacy Notice at crowdstrike.co.uk);
• dotdigital EMEA Limited to help us to send you our offers, newsletters and promotions (you can read their Privacy Notice at dotdigital.com);
• Equator (Scotland) Limited to help us to maintain our website (you can read their Privacy Notice at eqtr.com);
• Iron Mountain to help us store hard copies of your records (you can read their Privacy Notice at ironmountain.com);
• ITS Software Systems Ltd (trading as Eploy) to help you to apply to work for us (you can read their Privacy Notice at eploy.co.uk);
• Laundry providers (various) to wash, dry and iron your clothes (please contact the relevant hotel reception for your local provider’s identity and privacy notice);
• Microsoft to help us keep your personal data and to communicate with you (you can read their Privacy Notice at microsoft.com);
• Oracle to help us to keep your data via OPERA and Nor1 in regard to most of the reasons outlined in "How do we use your personal data" above (you can read their Privacy Notice at oracle.com);
• Royal Mail to help us to return your lost items to you (you can read their Privacy Notice at royalmail.com);
• Shield Safety Group Limited to help you when you have an accident or medical emergency via SSG RiskProof (you can read their Privacy Notice at https://shieldsafety.co.uk);
• Transport companies (various) to help you to book transport, for example buses and taxis (please contact the relevant hotel reception for your local provider’s identity and privacy notice);
• Upland Software to help us to send you our offers, newsletters and promotions via BlueVenn (you can read their Privacy Notice at  uplandsoftware.com);
• UpMail to help us to send you a proposal to organise your events and functions, for example your wedding (you can read their Privacy Notice at upmailsolutions.com);
• UpsellGuru GmbH to help us to manage your pre-arrival, online check in and upgrade requests (you can read their Privacy Notice at upsellguru.com);
• Viking Cloud to protect our networks, and your personal data against unauthorised access or data leakage (you can read their Privacy Notice at vikingcloud.com); and
• Zonal to help us to manage your dietary requirements and restaurant bookings (you can read their Privacy Notice at zonal.co.uk).

We may share your personal data with organisations outside our Group in your country or abroad, who act as the "joint data controllers" for your personal data when we ask them or they ask us to share your personal data for our and / or their own reasons, including:

• audit and law firms;
• government departments responsible for your criminal record, driving licence, emergency services (in particular, ambulance and fire services), ensuring that we treat you fairly whatever your background, your immigration, law enforcement (in particular, the police) and your nationality status;
• regulators, for example in regard to health and safety;
• social media companies (various) to respond to your requests, complaints and disputes;
• your academic and professional examination boards;
• your and our banks and / or building societies;
• your and our insurance companies (including Allianz Insurance, Assicurazioni Generali S.p.A, Chubb Insurance and Zurich Insurance; you can read their privacy notices at allianz.co.uk, www.generali.com, www.chubb.com and www.zurich.co.uk);
• your colleges, schools and universities;
• your doctors;
• your previous employers; and
• your travel agent (including Booking.com, Expedia, Hotels.com and Snaptrip Group Limited [trading as Laterooms.com]; you can read their privacy notices at booking.com, www.expedia.co.uk, https://uk.hotels.com and www.laterooms.com).

We allow links on our webpages to websites, plug-ins and applications belonging to organisations outside our Group in your country or abroad.

Shiji Information Technology Spain, S.A. (trading as ReviewPro) use their Global Review Index algorithm to generate and provide us with numerical scores from 0 to 100 based on the overall score of your and other guests’ reviews of our hotels (for example, about our locations, service and value) on online travel agency and review websites (you can read their Privacy Notice at www.reviewpro.com).

We may share your personal data between companies in our Group, in your country or abroad (in particular, Singapore and the United Kingdom), who act as either the “data processors” or “joint data controllers”, to help you to apply to work for us and / our internal functions (including audit, finance, HR, IT, legal services and procurement).

We will make sure that the country we are transferring your personal data to, protects your rights and that the transfer is secure, for example by signing a contract with the organisation receiving your personal data.

We will make sure that: 

• we have strong IT and physical security;
• we limit access to your personal data on a strictly need to know basis;
• we have agreements and contracts with other organisations to make clear how we allow them to use your personal data;
• we spot and fix any risks to your personal data; and
• we enforce staff completion of training about how to keep your personal data secure.

We will keep your personal data for the shortest time that we can, depending on why we need your personal data, if there is a law telling us to keep your personal data and if there is good advice recommending how long we should keep your personal data. For example, we may keep your personal data for 31 days to prevent and detect crime, and to ensure your health and safety via your CCTV images, 2 months if you are unsuccessful in applying for a job with us and prefer that we do not contact you about future jobs, 5 months if you are unsuccessful in applying for a job with us and prefer that we do contact you about future jobs, 6 months for recordings of your telephone calls to our Reservation Sales Centre, 3 years to manage your requests, complaints and / or disputes, and 6 years as part of investigations by regulators, legal proceedings or requests.

You have the following rights about your personal data:

• for us to tell you about how we collect, use, keep and share your personal data; 
• you may withdraw your consent at any time where we are only collecting, using, keeping or sharing your personal data with your consent;
• you may make a subject access request for a copy of your personal data;
• you may ask us to correct your personal data if it is not accurate, not complete or it is out of date;
• you may ask us to delete your personal data where it is not necessary for us to keep it;
• you may ask us to limit how we use or share your personal data;
• you may ask us to transfer a copy of your personal data to another organisation;
• you may ask us to stop collecting, using, keeping or sharing your personal data, including the use of software to make decisions about you or find out what you like or how you behave; and
• you may complain to the UK Information Commissioner’s Office, although it would be helpful if you could please tell us first to give us a chance to fix what you may be unhappy with.

You will  need to provide us with copies (not originals) of proof of your identity, preferably electronic, if you would like to exercise your rights. One document must include your name and date of birth, and the other must include your name and current address. Acceptable documents include, but are not limited to, your bank or utility statements, birth and marriage certificates, driving licence, national identity card, NHS medical card and passport.

There may be situations where we cannot agree with some or all of your request (for example, where you ask us to delete personal data that is necessary for us to keep).

We have an initial month and where necessary, up to three months in total, to handle your request.

You should: 

• read this and our other privacy notices to understand how we will collect, use, keep and share your personal data;
• take steps to keep your personal data accurate, including telling us about changes to your contact and financial data;
• take steps to keep your personal data secure, including not telling someone else about your usernames and passwords, making sure that you send your personal data to us in a safe way and that you are alert to scams (for example, we will never ask you for payment via instant messaging such as WhatsApp, and you should always contact your bank immediately to confirm whether or not you can trust an email or text claiming that your credit or debit card has been cloned or stolen); 
• tell us immediately if you believe that someone has accessed or taken a copy of your personal data without our consent, or you have received someone else’s personal data in error;
• ensure that you have the consent of other individuals (or parental responsibility for them if they are under 16 years old) when providing their personal data to us;
• be aware that you may commit a criminal offence under section 170 of the UK Data Protection Act 2018 if you look at, request, share or take someone else’s personal data from us without their and / or our consent; and
• remain patient and polite when asking us questions, raising complaints or exercising your rights in respect of, your personal data.

If you have any questions or complaints about how we use, or you would like to exercise your rights (except for requesting a copy of a VAT invoice for your stay with us or unsubscribing from marketing; please see below) in respect of, your personal data, or you believe that someone has collected, used, kept or shared your personal data without our consent, please contact our Data Protection Officer via: privacy.emea@frasershospitality.com or Data Protection Officer (EMEA), Legal Services, Frasers Hospitality (UK) Limited, 3^rd Floor, 95 Cromwell Road, London (UK), SW7 4DL.

If you would like to request a copy of a VAT invoice for your stay with us, please contact our invoice team via: invoicecopies@malmaison.com.

If you have any questions or complaints about our marketing, please contact our marketing team via: marketing@malmaison.com. If you would like to unsubscribe from marketing, please click on the unsubscribe link in the last marketing email that you received, or edit your Malmaison account profile.

If you would like to request a copy of your personal data for an insurance or legal claim (for example, about a collision between your and someone else’s vehicle in our car park), you should ask your insurance company or law firm to make that request to us on your behalf. The police should make any request for a copy of your personal data for the prevention and detection of crime, to us directly.

If you are an insurance company, law firm or other representative and would like to request the personal data of someone on their behalf, you should provide us with an email or letter from them giving you their permission to do so.

If you are the police and would like to request the personal data of someone who has stayed with us for the prevention and detection of crime, please initially contact the relevant hotel directly via your own official request form. Your form should specify the name and section of the law that you are investigating the alleged offence under (for example, theft under section 7 of the Theft Act 1968) and the limited nature and scope of the personal data that you are requesting (for example, the time, date and location of our CCTV footage and the appearance and behaviour of the suspect that it captures). A senior officer of sergeant level or above should countersign your form.

If you would like to contact us about anything which is not a data protection matter (for example, about making a reservation to stay with us), please Contact Us. We will not respond to any marketing emails, which are automatically diverted to our junk folder for deletion.

Well done for reading to the end of this Privacy Notice. Please make sure that you regularly come back to read this Privacy Notice as we will update it to include any changes that you should be aware of.