Effective date: [12 February 2021]
1. ACCOR PLUS' COMMITMENT TO PROTECTING PRIVACY
We consider you an important customer. Our first priority is to offer you exceptional services and experiences through the Accor Plus membership program, for example, by giving access to benefits across participating hotels and restaurants and other activities.
Your complete satisfaction and confidence in Accor Plus is absolutely essential to us.
That's why, as part of our commitment to meeting your expectations, we have set up the Accor Plus personal data protection charter. This charter formalizes our commitments to you and describes how Accor Group may use your personal data for the Accor Plus program.
This charter is specific to the Accor Plus program operated by the Accor Group.
For the processing of your personal data by a member of the Accor Group, outside the Accor Plus program, the Accor Group personal data protection charter will apply - https://all.accor.com/security-certificate/index.en.shtml.
For example, the Accor Group personal data protection charter will apply to collection of the data necessary to organise your stay at an Accor branded hotel through the Accor SA central booking engine.
It can be a bit confusing we know! The charters reflect aligned principles and practices for protecting your personal data. But they set out the different processing that may occur to your personal data depending on whether it is being dealt with for the Accor Plus program under this charter and / or purposes covered by the Accor Group personal data protection charter.
2. SCOPE OF APPLICATION
In this charter, “Accor Group” means:
• Accor SA, Accor Group with registered offices at 82 rue Henri Farman, 92130 Issy-les-Moulineaux, France;
• subsidiary or “family” companies of Accor SA involved in the hotel businesses of the Accor Group; and
• hotels operated under one of the Accor Group brands throughout the world. The list of brands can be viewed on accor.com.
Accor Plus is a paid subscription program operated by the Accor Group. Your registration with Accor Plus will automatically enroll you in the Accor Live Limitless loyalty program operated by Accor SA. The Accor Group personal data protection charter applies to your participation in the Accor Live Limitless loyalty program.
Member entitlements under the Accor Plus program are delivered by entities within the Accor Group and program partners. This is why, when participating in the Accor Plus program, your personal data will be dealt with by the Accor Group and program partners, both acting as Data Controllers for their own, separate, purposes. In summary:
• the Accor Group will process your data because it manages the Accor Plus program; and
• each program partner will process your data to manage its contractual relationship with you including to allow to you access the member entitlements (invoicing, payment, booking management etc.), to perform marketing activities and to comply with its legal obligations.
3. ACCOR PLUS' TEN PRINCIPLES FOR PROTECTING YOUR PERSONAL DATA
In accordance with applicable regulations, we have instituted the following ten principles throughout the Accor Group:
a. Lawfulness: We use personal data only if permitted by law. The lawful basis may be one of the following:
o we obtain the consent of the person, OR
o it is necessary to do so for the performance of a contract to which the person is a party, OR
o it is necessary for compliance with a legal obligation, OR
o it is necessary in order to protect the vital interests of the person, OR
o we have a legitimate interest in using personal data and our usage does not adversely affect the persons’ rights
b. Fairness: We can explain why we need the personal data we collect.
o Purpose limitation and data minimisation: We only use personal data that we really need. If the result can be achieved with less personal data, then we make sure we use the minimum data required
c. Transparency: We inform people about the way we use their personal data
d. We facilitate the exercise of the people’s rights: including access to their personal data, rectification and erasure of their personal data and the right to object to the use of their personal data
e. Storage limitation: We retain personal data for a limited period
o We ensure the security of personal data, i.e. its integrity and confidentiality.
o If a third party uses personal data, we make sure it has the capacity to protect that personal data.
f. If personal data is transferred outside the jurisdiction where it is collected, we ensure this transfer is covered by specific legal tools.
g. If personal data is compromised (lost, stolen, damaged, unavailable…), where required by law, we notify such breaches to the respective jurisdiction's responsible authority and to the person concerned, if the breach is likely to cause a high-risk in respect of the rights and freedoms of this person (or otherwise in accordance with the test for notification applied in each jurisdiction).
For any questions concerning the ten principles of Accor data protection policies, please contact the Data Privacy department whose details appear in the clause "Your rights".
4. WHAT PERSONAL DATA IS COLLECTED?
At various times, we may collect information about you, including the following:
• Contact details (for example, last name, first name, telephone number, email, billing and shipping address).
• Personal details (for example, date of birth, nationality).
• Your credit card number (for transaction and reservation purposes).
• Your membership number for the Accor Plus program, another Accor loyalty program or another partner program (for example, an airline loyalty program) and information related to your activities within the context of the loyalty program.
• Details about your use of your Accor Plus membership (for example, details about the entitlements you book and access).
• Your preferences and interests (for example, types of entitlements you prefer).
• Your questions/comments in relation to your Accor Plus membership and the particular entitlements you communicate with us about.
• Your activity concerning the Accor Live Limitless loyalty program and your bookings with hotels operated under the Accor Group brands.
• Technical and location data you generate as a result of using our websites and applications.
The information collected in relation to persons under 16 (or the legal age of your jurisdiction, if higher than 16) years of age is limited to their name, nationality and date of birth, which can only be supplied to us by an adult, and if required by law, with the consent of the minor. We would be grateful if you could ensure that your children do not send us any personal data without your consent (particularly via the Internet). If such data is sent, you can contact the Data Privacy department (see clause "Your rights"below) to arrange for this information to be deleted.
In order to meet your requirements or provide you with a specific service (such as dietary requirements), we may have to collect sensitive information, such as information concerning religious beliefs, or details of health. In this case, we will only process this data if you provide your express prior consent.
If, when you apply for an Accor Plus membership, you elect to register a secondary card holder, we will be entitled to assume you are validly acting on behalf of that individual to authorise the collection, use and disclosure of their personal data as set out in this charter.
5. WHEN IS YOUR PERSONAL DATA COLLECTED?
Personal data may be collected on a variety of occasions, including:
a. Registration in Accor Plus (and renewal of registration).
b. Logging onto your Accor Plus account to make a booking.
c. When a program partner provides us with details about your booking with them for an Accor Plus entitlement.
d. When you make a booking with a hotel operated under one of the Accor Group brands which is then inputted into the global database managed by the Accor Group and linked with your Accor Plus membership.
e. When you communicate with us.
f. Participation in marketing programs or events:
o Registering for member-exclusive programs or activities;
o Participation in customer surveys;
o Online games or competitions; and
o Subscription to newsletters, in order to receive offers and promotions via email.
g. Internet activities:
o Connection to Accor websites (IP address, cookies in accordance with our Policy about the use of tracers); and
o Online forms (online reservation, questionnaires, Accor pages on social networks, social networks login devices such as Facebook login, conversations with chatbot, etc.).
Providing personal data is voluntary. However, if you do not provide the requested information, we may be unable to enroll you in the Accor Plus program or provide you with access to Accor Plus benefits.
7. WHAT PURPOSES IS YOUR DATA COLLECTED FOR AND HOW LONG DO WE RETAIN IT?
We will use your data in order to provide you with Accor Plus services, including to help you make reservations for member entitlements, send information about our new offers or promotions and to send information about other Accor Group promotions. The table below sets out more details on why we process your data, the lawful basis for the processing and the associated retention period.
Unless we have a legitimate business or legal purpose to retain your personal data, we will delete or anonymise your personal data, as required by the law of your jurisdiction. We will keep your information for the shorter of (a) the retention period provided below, or (b) the period permitted under law.
We require you to accept the terms of this charter when you apply for your Accor Plus membership. By accepting the terms of this charter you also agree or give consent (where required) to collection, use and disclosure of your personal data as set out in this charter. Additionally, you may separately choose to consent to receive information about your membership and marketing offers from Accor Plus via email, SMS and telephone. You can choose to opt-out of receiving these communications or from any channel at any time once you have activated your membership account.
|Purpose/Activity||Lawful basis for processing including basis of legitimate interest||Retention period|
|Meeting our obligations to our members.||Performance of a contract with you.
Necessary to comply with a legal obligation.
Necessary for our legitimate interest in running our business and providing you with requested products and services.
|10 years from the registration or account activity in accordance with legal obligations.|
|Managing registrations for Accor Plus entitlements, in particular the creation and storage of legal documents in compliance with accounting standards.|
Managing our relationship with members:
Performance of our contract with you and for the management of your membership in the program.
Necessary for our legitimate interests in promoting our services, performing direct marketing activities (taking into account your commercial relationship with one of the Accor Group’s entities) and improving our services.
|6 years from the last date on which you have interacted with us in any way.|
|Improving our member services by:
• Personalising your Accor Plus experience
• Processing your personal data through our customer marketing program in order to carry out marketing operations, promote brands and gain a better understanding of your requirements and wishes
• Adapting our products and services to better meet your requirements (for example, expanding the range of program partners)
• Customising the commercial offers and promotional messages we send you
• Informing you of special offers and any new services created by Accor Plus or any of its program partners.
• Sending you information about our benefits, new promotions or programs via email, social media or phone.
|Performance of contract with you in relation to the management of your membership in the program.
Necessary for our legitimate interests in promoting our services, performing direct marketing activities (taking into account your commercial relationship with Accor Group) and improving our services.
|6 years from the last date on which you have interacted with us in any way.|
|Offering you the benefits of the Accor Plus program and marketing goods and services to you, primarily being the offers from program partners you are entitled to as part of your membership of the Accor Plus program.||Your consent||6 years from the last date on which you have interacted with us in any way|
|Use a trusted third party to cross-check, analyse and combine your collected data in order to determine your interests and develop your profile and to allow us to send you personalized offers.||Necessary for our legitimate interests in promoting our services, performing direct marketing activities (taking into account your commercial relationship with one of the Accor Group’s entities)) and improving our services.
|6 years from the last date on which you have interacted with us in any way.|
|Improving Accor Plus services, in particular:
• Carrying out surveys and analyses of questionnaires and customer comments
• Managing claims/complaints
|Performance of contract with you (for the management of your membership in the program)
Necessary for our legitimate interests in promoting our services, performing direct marketing activities (taking into account your commercial relationship with one of the Accor Group’s entities)) and improving our services.
|6 years from the last date on which you have interacted with us in any way.
6 years from the date of closure of your file in case of a claim or a complaint.
|Securing and enhancing your use of Accor Plus websites, applications and services by:
• Improving navigation;
• Maintenance and support; and
• Implementing security and fraud prevention.
|Necessary for our legitimate interests in running our business, provision of administration and IT services and network security to prevent fraud.
|13 months from the collection of the information.|
|Internal management of lists of members having behaved inappropriately during their use of entitlements (aggressive and anti-social behaviour, non-compliance with safety regulations, theft, damage and vandalism or payment incidents).||Necessary for our legitimate interests in running our business and to prevent fraud and the abuse of our property and staff.
|Up to 122 days from the recording of an event.|
|Securing payments by determining the associated level of fraud risk. As part of this analysis, Accor Plus may use the Accor Group risk prevention service provider to refine their analysis.
Depending on the results of the investigations carried out, Accor Group may take security measures, in particular Accor Group may request the use of a different booking channel or for the use of an alternative payment method. These measures will have the effect of suspending the execution of the booking or, if the result of the analysis does not guarantee the safety of the order, of cancelling it. Fraudulent use of a means of payment leading to payment default may result in the entry of data in the Accor Group incident file, which may lead Accor Group to block future payments or carry out additional checks.
|Necessary for our legitimate interests in running our business and to prevent fraud.
|90 days to our database to allow for analysis and controls and then 2 years in a separated database used for improving the system.
In case of recording in the incident file, 2 years from recording or until regularization of the situation if earlier.
|Conforming to any applicable legislation (for example, storing of accounting documents), including:
• Managing requests to unsubscribe from newsletters, promotions, tourist offers and satisfaction surveys
• Managing data subject’s requests regarding their personal data.
|Necessary to comply with a legal obligation.
|As stipulated in the respective jurisdiction's legislation.|
8. CONDITIONS OF THIRD-PARTY ACCESS TO YOUR PERSONAL DATA
The Accor Plus program operates in many jurisdictions. Thus, we have to share your personal data with internal and external recipients subject to the following conditions:
a. We share your data with a number of authorised people and departments in the Accor Group in order to offer you the best experience with Accor Plus. The following teams may have access to your data:
o Staff where Accor Plus entitlements are available (for example, hotels, restaurants, spas).
o Reservation staff using Accor Group reservation tools.
o IT departments.
o Commercial and marketing services.
o Medical services if applicable.
o Legal services if applicable.
o Generally, any appropriate person within Accor Group entities for certain specific categories of personal data.
In particular, the data related to your Accor Plus bookings, preferences, satisfaction and your Accor Plus program membership are shared between the hotels operating under the Accor Group brands who are program partners. This data is used to improve the quality of service and your experience in each of these hotels.
b. With service providers and partners: your personal data may be sent to a third party for the purposes of supplying you with services and improving your stay, for example:
o Accor Plus program partners: parties outside the Accor Group offering benefits to Accor Plus program members.
o External service providers: IT sub-contractors, international call centres, banks, credit card issuers, external lawyers, dispatchers, printers.
o Commercial partners: Accor Plus may, unless you specify otherwise to the Data Privacy department, enhance your profile by sharing certain personal information with its preferred commercial partners. In this case, a trusted third party may cross-check, analyse and combine your data. This data processing will allow Accor Plus and its privileged contractual partners to determine your interests and customer profile to allow us to send you personalized offers.
o Social networking sites: In order to allow you to be identified on the Accor Group websites without the need to fill out a registration form, Accor SA has put in place a social network login system. If you log in using the social network login system, you explicitly authorize Accor SA to access and store the public data on your social network account (e.g. Facebook, LinkedIn, Google, Instagram…), as well as other data stated during use of such social network login system. Accor SA may also communicate your email address to social networks in order to identify whether you are already a user of the concerned social network and in order to post personalized, relevant adverts on your social network account if appropriate.
c. With local authorities: We may be obliged to send your information to local authorities if this is required by law or as part of an inquiry. We will ensure that any such transfer is carried out in accordance with local regulations.
9. PROTECTION OF YOUR PERSONAL DATA DURING INTERNATIONAL TRANSFERS
For the purposes set out in clause 7 of this charter, we may transfer your personal data to internal or external recipients who may be in jurisdictions offering different levels of personal data protection.
Consequently, in addition to implementation of this charter, Accor employs appropriate measures to ensure secure transfer of your personal data to an Accor entity or to an external recipient located in a jurisdiction offering a different level of privacy from that in the jurisdiction where the personal data was collected.
As at the effective date of this charter, Accor Plus is currently operating in jurisdictions in Asia Pacific. By enrolling in this program and depending on the entitlements you choose, your data may be sent to these jurisdictions. They are: Australia, Bangladesh, Cambodia, China, Fiji, French Polynesia, Hong Kong SAR, Indonesia, India, Japan, Laos, Macau SAR, Malaysia, Myanmar, New Zealand, Philippines, Singapore, South Korea, Sri Lanka, Taiwan China, Thailand and Vietnam. Your data may also be sent to locations in Europe, namely France.
Other than those that are required to carry out your reservation, data transfers to jurisdictions having different levels of personal data protection, are regulated by standard contractual clauses defined by the European Commission.
Accor Plus takes appropriate technical and organizational measures, in accordance with applicable legal provisions (in particular: Art. 32 GDPR), to protect your personal data against illicit or accidental destruction, alteration or loss misuse and unauthorized access, modification or disclosure. To this end, we have taken technical measures (such as firewalls) and organizational measures (such as a user ID/password system, means of physical protection etc.) for access control to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. To this end, we have taken administrative measures, physical measures, technical measures (such as firewalls) and organizational measures (such as a user ID/password system, means of physical protection etc.). In relation to the submission of credit card data when making a reservation, SSL (Secure Socket Layer) encryption technology is used to guarantee a secure transaction. Organizational measures ensure the security of the processing.
In particular, we have implemented access control measures which restrict access to personal data as well as storage and processing equipment by imposing access rights or permission, user access management to limit access to personal data to only authorized person, and implement user responsibilities to prevent unauthorized access, disclosure, perception or unlawful duplication of personal data. This also includes methods that enabling the re-examination of unauthorized access, alteration, erasure, or transfer of personal data which is suitable for the method and means of the collection, use, and/or disclosure of personal data.
12. YOUR RIGHTS
You (or, if applicable, your legal representative) have the right to request information about and access, obtain a copy of or rectify your personal data collected by the Accor Group in relation to the Accor Plus program. Also, in some jurisdictions under law you may have the right to request to have your personal data erased, have the processing of it restricted or to request that we attach a statement of rectification or similar to your personal data if we do not make the rectification you requested. Furthermore, in some jurisdictions under law, you may have the right to data portability and to issue instructions on how your data is to be treated after your death (hopefully as late as possible!).
You can also object to or withdraw consent for the processing of your personal data.
We will support all the above requests as required by law. Additionally, even if the law in a jurisdiction does not require us to do so, we will endeavour to support any request as contemplated above to the extent reasonably practicable for us to do so. However, we may not action your request if the law prevents us from doing so or permits us to do so.
In the event that you wish to exercise any of your above rights, please contact the Data Protection Officer for the Accor Plus program directly by sending an email or by writing to the address below.
Please provide sufficient detail to enable us to understand the nature of your request and identify that it relates to the Accor Plus program:
Data Protection Officer - Accor Plus program
AAPC Singapore Pte. Ltd.
1 Wallich Street #17-01 Guoco Tower
Malaysia: [ +60 3 6419 5030]
Singapore: + 65 6408 8801
If you have a complaint or concern about how your personal data has been handled in connection with the Accor Plus program including whether we have complied with an applicable legal requirement, please contact the Data Protection Officer for the Accor Plus program using the above details. Please provide sufficient details so we can understand the nature of your concern and identify that it relates to Accor Plus program. We will investigate and endeavour to resolve your issue as swiftly as possible.
You may also have the right to lodge a complaint with a data protection authority. Contact details for the data protection authorities for the GDPR are available here.
For the purposes of confidentiality and personal data protection, we will need to check your identity in order to respond to your request or other communication. In case of reasonable doubts concerning your identity you may be asked to include a copy of an official piece of identification, such as an ID card or passport, along with your request. A black and white copy of the relevant page of your identity document is sufficient.
All requests and other communications will receive a response as swiftly as possible.
We may modify this charter from time to time. We recommend that you consult it regularly, particularly when making a reservation at one of our hotels.
For any questions concerning the personal data protection policy for the Accor Plus program, please contact the Data Protection Officer for Accor Plus (See clause "Your rights").
For any questions concerning the Accor Group’s personal data protection policy, please contact the Data Privacy department for Accor SA (please see - https://all.accor.com/security-certificate/index.en.shtml the Accor Group personal data protection charter for contact details).