This Privacy Notice (“Privacy Notice”) describes how The Erawan Group Public Company Limited "(Erawan)" "we," "us," or "our") We collect, use and disclose personal data of our individual customers, contact persons of our customers (in case of our corporate customers) and any person who we receive their personal data ("you" or "your"), and tells you of data protection rights.
This Privacy Notice (“Privacy Notice”) describes the privacy practices of Erawan for data that we collect:
- from the entities within the Erawan;
- our hotel franchisor and partners;
- through websites operated by us from which you are accessing this Privacy Notice and other websites owned or controlled by our affiliates, hotel franchisor, hotel partners, and other third party service providers (e.g., booking sites, travel agencies, tour groups);
- through the software applications made available by our hotel partners and third party service providers for use on or through computers and mobile devices;
- when you visit or stay as a guest at one of our hotels or through other offline interactions such as promotional events;
- when you contact us in for our retail space services, storage, small spaces, space for advertising media (including sign board);
- through any other form you communicate and interact with us (e.g., sales representative, customer service calls); and
- any other channels that may provide us with Personal Data.
1. The types of Personal Data we process
The term “Personal Data” in this Privacy Notice refers to any information which can be used to identify you as an individual, provided voluntarily when you connect with us by any means, whether oral, written or electronic, as listed below.
"Sensitive Data" means Personal Data classified by law as sensitive data. We will only collect, use, disclose and/or cross-border transfer Sensitive Data if we have received your explicit consent or as permitted by law.
The Personal Data we collect may include, but are not limited to, the following:
- Personal information, identification and contact information: such as your name-surname, title, gender, nationality, date of birth, address, telephone/mobile number, fax number, email address, education; workplace; household income; salary; insurance details; government-issued identification numbers and cards (e.g., national identification card, driver’s license information, tax identification), signature; house registration; immigration information, passport and visa information; postal address, delivery details, billing address, your contact person detail such as telephone number, contract data on other correspondence (e.g. written communication with you).
- Guest stay information: such as number of persons, number of rooms, travel itinerary, previous reservation details, check in, check out dates and cancellation date; guest preferences, enquiries and comments and other data such as your interests, activities, food and beverage choices, services and amenities of which you advise us or which we learn about during your visit;
- Payment information: such as debit/ credit card or bank information, credit/debit card number, credit card type, cycle cut, bank account details, payment details and records;
- Social media account: such as social media account ID and details provided on your social media accounts and sites;
- Loyalty membership information: such as account details, member card number, reward points, credit card issuance/expiration date, member ID, member type, customer type, member join/registration date and month, membership length, bank account and payment details, and service and product applications (e.g. membership application, insurance application); co-branded payment cards, travel partner program affiliations, social media accounts linked to loyalty programs;
- Technical Information: such as Internet Protocol (IP) address, cookies, media access control (MAC) address, log, device ID, device model and type, network, connection details, access details, access time and location, time spent on our page, login data, search history, browsing details, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices you use to access our platform; website use, website traffic data;
- Behaviour details: such as information about your purchasing behavior and data supplied through the use of our products and services;
- Profile details, such as your username and password, profile details and picture, service and purchase history, financial records, your interests, preferences, feedback and survey responses, satisfaction survey, social media engagement, participation details, your use of discount codes and promotions, customer order description, customer service, attendance to events, trade exhibitions, litigation, testing, and trials;
- Marketing preferences: such as information you provide or in the course of participating in our events, surveys, contests or promotional offers;
- Data about family members and companions: such as names and ages of children;
- CCTV images and footages: such as images and video collected through the use of closed circuit television systems (CCTV) and internet systems on our premises;
- Guest preferences: such as (e.g. high/ low floor, smoking/non-smoking room, all female floor), Life practice (e.g., preferred foods, beverages, newspapers and types of pillow), enquiries and comments and other data such as your interests, activities, food and beverage choices, services and amenities of which you advise us or which we learn about during your visit;
- Other relevant information: such as company registration information (for corporate customers), police station reports for retails space customers; Personal Data generated in connection with your relationship with us; signatures, and your correspondence with us;
- Sensitive data: such as Health information (e.g. allergies); disability information (e.g., hearing, mobility, visual, or wheelchair needs); Sensitive data from official identification documents (such as religion, race and ethnicity); religion.
We will only collect, use, and/or disclose your Sensitive Data if we have received your explicit consent or as permitted by law.
If you submit any Personal Data about other people to us or our service providers such as when you make a reservation for another individual, please provide this Privacy Notice for their acknowledgement and/or obtaining consents where applicable for us.
2. Why we collect, use and/or disclose your Personal Data
Except in limited instances when we indicate that certain information is based on your consent, we collect use, and/or disclose your Personal Data on the legal basis of (1) contractual basis, for performance of activity in relation to the our business relationship; (2) legal obligation, for fulfilment of our legal obligations; (3) legitimate interest, for the purpose of our legitimate interests and the legitimate interests of third parties, proportionate to your interest and fundamental rights and freedoms to the protection of your Personal Data; (4) vital interest, for the prevention or suppression of danger to a person's life, body, or health; (5) public interest, for the performance of task carried out in the public interest or for exercising of official authorities or duties; and/or (6) the reason for an establishment and defenses of legal claims in the future.
2.1 Purpose for which consent is required
We rely on your consent to:
- Marketing and Communications: To provide marketing, communications, sales, special offers, promotions, notices, news, and information about the products and services from us, our affiliates and subsidiaries under The Erawan Group, and the third parties which we cannot rely on other legal grounds
- Sensitive data: To collect, use, disclose and/or transfer your Sensitive Data for the following purposes:
- Health information (e.g. allergies): to provide the appropriate accommodations and services to our hotel guests/customers (e.g. to prevent dust or food allergies) and for the guest/customer's record management purposes;
- Disability information (e.g., hearing, mobility, visual, or wheelchair needs): to provide the appropriate accommodations and services to our hotel guests/customers and or the guest/customer's record management purposes;
- Sensitive data from official identification documents (such as religion, race and ethnicity): for authentication and verification purposes;
- Religion: to provide accommodations and services to our hotel guests/customers and for the guest/customer's record management purposes;
- Biometric information (e.g. facial recognition): for security and crime prevention purposes;
Where legal basis is consent, you have the right to withdraw your consent at any time. This can be done so, by contacting our Data Protection Officer via email : firstname.lastname@example.org. The withdrawal of consent will not affect the lawfulness of the collection, use, and disclosure of your Personal Data and Sensitive Data based on your consent before it was withdrawn.
2.2 Purpose for which we rely on other legal grounds
We may collect, use and disclose your Personal Data for the following purposes:
- Providing the services you request, such as whether they are services provided at any of our hotels or retail spaces. This includes: facilitating guest reservations, guaranteeing and confirming your reservation and stay, verifying your identity, answering customer service requests and inquiries, processing for quotation, billing, invoicing, refunds and payment details, personalizing our services according to your preferences, entering into a lease agreement for our retails space customers, and conducting activities related thereto; refund and exchange of products or services; to operate, track, monitor, and manage our sites and platform to facilitate and ensure that they function properly, efficiently, and securely; to facilitate your experience on our sites and platform; improve layout, and content of our sites and platform.
- Marketing and Communications, such as to provide privileges, offers, updates, sales, special offers, promotions, advertisements, notices, news, information and any marketing and communications about the products and services from us, our affiliates and subsidiaries under The Erawan Group which meet your legitimate interests or in accordance with preferences you have expressed directly or indirectly;
- Loyalty program management, such as to allow for the participation and creation of loyalty program accounts, earning and using points, sending you offers, promotions and information about your account status and activities (e.g., sending you reminder emails); to process points collection, addition, exchange, earning, and redemption; to process and administer your account registration, gift registration, event registration; to examine your entire user history; to provide and issue gift vouchers and gift cards;
- Monitoring and ensuring customer satisfaction,such as improving our services, sending customer satisfaction and quality assurance surveys and adjusting operations based on customer preferences;
- To improve business operations, products, and services: such as to determine business operations efficiency; to improve business performance; to assess and evaluate the service we provide to you in order to improve our services and operations; to recommend products and services that might be of interest to you, identify your preferences and personalize your experience; to create aggregated and anonymized reports; to measure the performance of marketing campaigns; to learn more about you, the products and services you receive and other products and services you may be interested in receiving; to measure your engagement with the products and services, undertake data analytics, data profiling, market research, assessments, behavior, statistics and segmentation, consumption trends and patterns; profiling based on the processing of your Personal Data, for instance by looking at the types of products and services that you use from us, how you like to be contacted.
- Security, system monitoring, and IT Management; such as to authenticate and verify a person; to ensure safety and security of all our customers, employees and visitors to our hotels and retail space properties;to implement access controls and logs where applicable; to monitor system, devices and internet; and to ensure IT security; for our business management purpose including for our IT operations, management of communication system, operation of IT security and IT security audit; internal business management for internal compliance requirements, policies, and procedures;
- Other business purposes, such as granting access to our hotels and properties, processing lost and found requests, record-keeping and updating and information sharing, collecting data on parking, conducting market research and analysis, and operating/expanding our business activities;
- Enforcement and defense of our legal rights and claims; such as to solve disputes; dispute handling; to enforce our contracts; and establish, exercise or defend of legal claims;
- To protect our interests, to exercise our rights or protect our interest where it is necessary and lawfully to do so, for example to detect, prevent, and respond to fraud claims, intellectual property infringement claims, or violations of law; to manage and prevent loss of our assets and property; to follow up on incidents; to prevent and report criminal offences and to protect the security and integrity of our business;
- Conforming to our legal and regulatory obligations, such as to comply with legal obligations, including record-keeping, sending daily reports, and registration of hotel customers as required by law; to comply with legal proceedings, or government authorities' orders which can include orders from government authorities outside Thailand, and/or cooperate with court, regulators, government authorities, and law enforcement bodies when we reasonably believe we are legally required to do so, and when disclosing your Personal Data is strictly necessary to comply with the said legal obligations, proceedings, or government orders; issue tax invoices or full tax forms; conduct VAT refunds; record and monitor communications; make disclosures to tax authorities, financial service regulators, and other regulatory and governmental bodies, and investigating or preventing crime.
- Transfer in the event of merger, such as, in sale, transfer, merger, reorganization or similar event we may transfer your Personal Data to one or more third parties, including companies, affiliates and subsidiaries under The Erawan Group, as part of that transaction;
- Risks: To perform risk management, audit performance, and risk assessments; and/or
- Life: such as, to prevent or suppress a danger to a person’s life, body, or health.
Where we need to collect, use, and disclose your Personal Data as required by law, or for performance of a contract with you and you fail to provide that Personal Data to us, we may not be able to perform the contract we have or are trying to enter into with you.
Where consent is required for certain activities of collection, use or disclosure of your personal data, we will request and obtain your consent for such activities separately.
3. Disclosures of your Personal Data
We may transfer or disclose your Personal Data to the following:
- Erawan Group companies, and other Hop Inn Hotel owned and managed hotels. Your Personal Data may be accessible to or shared with other entities that are our affiliates and subsidiaries under The Erawan Group, including entities operating Hop Inn hotel for the purposes set out in this Notice;
- Hotel franchisors and partners. including their representatives, as are relevant for the above purposes and to facilitate the operation of our businesses;
- Other third parties. We may use other companies, agents or contractors to perform services on behalf or to assist with the provision of products and services to you. We may share your Personal Data to our service providers, or third-party suppliers, or business partners including, but not limited to (1) infrastructure, internet, infrastructure technical, software, website developer and IT service providers; (2) data storage and cloud service providers; (3) telecommunications and communication service providers; (4) storage and logistics service providers; (5) payment service providers; (6) research agencies; (7) analytics service providers; (8) survey agencies; (9) auditors; (10) marketing, advertising media, and communications agencies; (11) call centers; (12) campaign and event organizers; (13) sale representative agencies; (14) travel agencies and reservations agencies; (15) insurance company; (16) banks, financial institutions, payment, payment system, and authentication service providers and agents; (17) outsourced administrative service providers; and/or (18) healthcare providers or hospitals;
- Professional advisors. This includes lawyers, technicians and auditors who assist in running our business, and defending or bringing any legal claims;
- Courts, government authorities and regulatory agencies (e.g., Immigration Bureau, Department Of Provincial Administration, police) in order to respond to subpoenas, court orders, or legal processes and to comply with existing requirements under law and regulation, or to exercise our legal rights when we find that your actions violate our terms and conditions, or our hotel policies for specific products and or services;
- Third parties as our assignee of rights and/or obligations, in the event of any reorganization, merger, business transfer, whether in whole or in part, sale, purchase, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock or similar transaction.
Some of the recipients we may share your Personal Data with may be located outside Thailand which the destination countries may or may not have the same equivalent level of protection for Personal Data protection standards. In such case, we ensure appropriate safeguards in place, and oblige the recipients to protect your Personal Data in accordance with this Privacy Notice and as allowed by applicable law using appropriate security measures. We will request your consent where consent to cross-border transfer is required by law.
4. Minor, quasi-incompetent or incompetent person
If you are a minor under the age of 20, quasi-incompetent or incompetent person, you may not be able to provide your Personal Data to us before we obtain parental or guardian consent in accordance with the applicable law. We do not intend to collect, use, and disclose Personal Data of individual who are considered minors, quasi-incompetent, or incompetent person (under the applicable law) unless we have obtained parental or guardian consent, or unless said parental or guardian consent in not required under the applicable data protection law.
In the event we learn that we have unintentionally collected Personal Data from the minor, quasi-incompetent or incompetent person, we will delete it immediately or we will process it only if we can rely on other legal basis apart from consent.
5. Retention and protection of Personal Data
Subject to applicable data laws, we will retain your Personal Data for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, and internal requirements. However, we may have to retain your Personal Data for a longer duration, as required by applicable law.
6. Your rights and a data subject
Subject to the applicable conditions under the Thai Personal Data Protection Act B.E. 2562, you have the right to:
- The right to access your Personal Data. This also enables you to receive a copy of the Personal Data we hold about you and to check on how we acquire certain Personal Data without your consent;
- The right to port your Personal Data to another party. This means to receive copies of your Personal Data in an electronic format and/or ask us to transfer it to another party;
- The right to object to the collection, use and disclosure of your Personal Data for certain cases, including when we use your Personal Data for direct marketing purposes;
- The right to delete, destroy or anonymize your Personal Data. This enables you to ask us to delete, destroy or anonymize Personal Data where there is no valid ground for us to continue the collection, use and disclosure of such Personal Data;
- The right to restrict the use of your Personal Data. This enables you to ask us to suspend the collection, use and disclosure of your Personal Data;
- The right to rectify the Personal Data we hold about you. This enables you to have any inaccurate, outdated, incomplete, and misleading Personal Data we hold about you rectified;
- The right to make a complaint to a competent authority under the applicable data protection law; and
- The right to withdraw your consent at any time where we collect, use and disclose your Personal Data based on your consent. This will not affect the lawfulness of the processing based on consent before the withdrawal.
7. Links to other sites
This website may contain links to unaffiliated third party websites. Except as set forth herein, we do not share your Personal Data with them, and are not responsible for their privacy practices. We suggest you read the privacy notices on all such third party websites.
8. Changes to this Notice
We may amend this Notice from time to time. Where applicable, we may notify you when material changes have been made to this Notice by means we deem appropriate. We recommend that you periodically revisit or keep track of this Notice to learn of any changes.
9. Contact details for concerns / questions
Should you have any questions or concerns regarding this Privacy Notice, or if you would like to exercise your rights as a data subject, please feel free to contact us through the following details:
The Erawan Group Public Company Limited
6th Floor, Ploenchit Center, 2 Sukhumvit Road, Kwang Klongtoey, Khet Klongtoey, Bangkok 10110 Thailand
Telephone. 66 (0) 2257 4588
Fax. 66 (0) 2257 4577
The contact details of our data protection officer are as follows: