Personal Data Protection Policy of Attana Hotels & Resorts Sdn Bhd (“AHR”) (“Policy”)
The hotel, serviced apartments, resorts and golf clubs under the management of AHR (collectively, “Properties”) governed by the Policy are as follows:
Perdana Kuala Lumpur City Centre
Perdana Kota Bharu
Villea Port Dickson
Villea Rompin Resort & Golf
Kota Seriemas Golf & Country Club
Protection of your Personal Data (as defined herein) which you have disclosed or presently being maintained by us, is important to us. This Policy outlines how we manage the Personal Data we hold. The Policy applies to all departments and business units across AHR and the Properties.
For the purpose of this Policy, the term “we”, “us”, “our”, “AHR” or “AHR Group” shall refer to AHR and/or its related corporations and affiliates (as the context requires) and the term “you” or “your” shall refer to all customers of AHR Group, as well as visitors and users of this website.
We respect the confidentiality of your Personal Data as well as the privacy of individuals and are committed to complying with the Malaysian Personal Data Protection Act 2010 (“PDPA”) and other applicable data protection laws, including the European Union (“EU”) General Data Protection Regulation (“GDPR”) where applicable. Please read this Policy so that you know and understand the purposes for which we collect, use and disclose your Personal Data.
This Policy supplements but does not supersede nor replace any other consents you may have previously provided to us in respect of your Personal Data, and your consents herein are additional to any rights which any member of the AHR Group may have at law to collect, use or disclose your Personal Data. This Policy does not affect any rights which we may have at law in connection with the collection, use or disclosure of your Personal Data.
For the avoidance of doubt, to the maximum extent permitted under applicable law, nothing in this Policy establishes any joint and several liability on the part of the AHR Group.
1. Your Personal Data
1.1. “Personal Data” refers to any data or information about you from which you can be identified either (a) from that data alone, or (b) from that data combined with other information. Examples of such Personal Data which you may provide us include (depending on the nature of your interaction with us), but not limited to:
a) your name, MyKad number, passport number or other identification number, telephone number(s), mailing address, email address and any other information relating to you which you have provided us in any form, or in other forms of interaction with you;
b) information about your use of our websites and services, including cookies, internet protocol (IP) addresses, subscription account details and membership details;
c) your employment history, education background, and income levels; and
d) your payment related information, such as your bank account or credit card information, and your credit history.
1.2. In addition, if you make a reservation to be a resident at one of our Properties, you may also be asked to provide further information including photo identification about yourself and your family members, such as the dates of your arrival and departure. In order to provide you with better service, we may also collect your preferences, e.g. smoking or non-smoking room, the preferred location of your apartment (low floor, high floor, etc.), type of bed, preferred newspaper etc.
1.3. In respect of our activities in the EU, “Personal Data” shall also include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, criminal convictions and offences, and other information defined as ‘personal data’ under GDPR such as internet protocol addresses and cookie identifiers (insofar as such information is capable of identifying individuals either directly or indirectly).
2. Collection of Personal Data
2.1. Generally, we collect your Personal Data in the following ways:
a) when you submit forms, information or feedback relating to any of our products or services (including by use of our interactive information technology (IT) touch screens such as iPads/tablets (if any)), or submit any online queries;
b) when you register for or use any of our services on websites or apps owned or operated by us or when you register as a member of websites owned and/or operated by us;
c) when you interact with our representative or any of our staff, for example, via face-to-face meetings, telephone calls, letters, online forms (such as any “Contact Us” forms on our websites), reservation chat, social media platforms and emails;
d) when you use or purchase our services or products;
e) when you establish any online accounts with us;
f) when you request that we contact you;
g) when you respond to our request for additional Personal Data;
h) when you ask to be included in an email or other mailing list;
i) when you respond to our promotions and other initiatives;
j) when you respond to our market surveys;
k) when you submit a job application ;
l) when we receive references from business partners, online travel agents and third parties, for example, where you have been referred by them;
m) when you submit your Personal Data to us for any other reason;
n) when you make a reservation; and
2.2. If you provide Personal Data of a third party (e.g. information of your dependent, spouse, children and/or parents) to us, you represent and warrant that the collection, use and disclosure of that Personal Data to us, as well as the further processing of that Personal Data by us for the purposes set out below, is lawful.
3. Use and Disclosure of Personal Data
3.1. Our business is to understand and meet your needs and provide you with the services that you require. To do this effectively, we need to collect a range of Personal Data about you as described in paragraph 1 above.
3.2. In general, we will, subject to applicable law, use and disclose your Personal Data for the following purposes:
a) provide you with the services that have been requested;
b) help us review, develop, improve, manage the delivery of and – to the extent this requires the use of Personal Data – enhance our products and services, including analysing future customer needs, conducting market research, customer satisfaction surveys and data analytics for example to enable us to understand and determine customer location, preferences and demographics (which does not involve automated profiling or result in automated decision-making activity which is regulated under the GDPR);
c) communicate with you and respond to your queries, requests and complaints;
d) provide ongoing information about our services which may be of interest to you;
e) handle disputes and conduct and facilitate investigations and proceedings;
f) protect and enforce our contractual and legal rights and obligations (including repayment obligations) and for credit and internal risk management;
g) prevent, detect and investigate crime, including fraud and money-laundering, and to analyse and manage other commercial risks;
h) manage our infrastructure and facilitate business operations (including but not limited to billing, customer service and customer verification) and comply with internal policies and procedures; and
i) comply with any applicable rules, laws and regulations, codes of practice or guidelines or assist in law enforcement and investigations by relevant authorities.
3.3. Generally, we process your Personal Data for one or more of the specific purposes identified in this Policy based on your consent obtained. Where GDPR applies, the legal basis for our processing of your Personal Data could also be that it is necessary for the legitimate interests pursued by us, or a third party which is described in paragraph 3.9 of this Policy. These legitimate interests include providing services to you where you are our client, managing the relationship between AHR, the Properties and you and facilitating internal business purposes and administrative purposes. In some cases, the provision and processing of your Personal Data may be a statutory and/or contractual requirement, or may be necessary in order to perform any contract you have agreed with us or perform services that you have requested.
3.4. In addition, we may use and disclose your Personal Data for the following purposes, depending on the nature of our relationship with you:
a) If you have a membership account with us (for example as a member of Loyalty Program):
(i) process your application for the account;
(ii) maintain your account with us,
(iii) verify your personal particulars and process payment requests in relation to provision of the services which you may be entitled to or which you may have requested for;
(iv) provide you with the services which you have signed up for;
(v) communicate with you of changes and development to our policies, terms and conditions and other administrative information, including for the purposes of servicing you in relation to the services offered to you;
(vi) resolve complaints and handle requests and enquiries;
(vii) conduct market research for statistical, profiling and statistical analysis for the improvement of services provided to you;
(viii) provide membership services to you; and
(ix) process your Personal Data in relation to any of the purposes stated above.
b) If you download or use any of our mobile applications (apps) (if any):
(i) process your application for subscription services if they are provided in the apps;
(ii) maintain your account with us;
(iii) verify and process your personal particulars and process payment requests in relation to provision of goods and services connected to the app:
(iv) provide you with the services which you have signed up for;
(v) communicate with you changes and development to our policies, terms and conditions and other administrative information, including for the purposes of servicing you in relation to products and services offered to you;
(vi) resolve complaints and handling requests and enquiries;
(vii) conduct market research for statistical, profiling and statistical analysis for the improvement of services provided to you; and
(viii) process your Personal Data in relation to any of the purposes stated above.
c) If you are a resident at one of our Properties, or an employee or an organisation which is a customer of our Properties:
(i) conduct due diligence checks;
(ii) establish user profiles to improve services and for marketing purposes;
(iii) meet quality assurance, employee training and performance evaluation purposes;
(iv) maintain the client relationship;
(v) perform financial transactions such as payments for the period of stay, and enforce repayment obligations, credit and internal risk management;
(vi) communicate with you changes and development to our policies, terms and conditions and other administrative information, and
(vii) any other purpose related to any of the above.
d) If you submit an application to us as a candidate for employment:
(i) process your application including pre-recruitment checks;
(ii) provide or to obtain references for background screening/vetting;
(iii) collect information about your suitability for the position applied for;
(iv) organise training and staff development programs;
(v) assess your performance;
(vi) administer benefits and payroll processing;
(vii) provide you with tools to facilitate or as required for you to do your job;
(viii) communicate with you to comply with our policies and processes, including for business continuity purposes; and
(ix) any other purposes related to the aforesaid.
e) If you are an existing employee, AHR’s Employee Personal Data Protection Policy would also apply to you.
3.5. The above purposes are not exhaustive, and depending on the nature of your relationship with us, we may collect, use and disclose your Personal Data for additional purposes which you will be notified of, in accordance with applicable terms and conditions.
3.6. Where you have provided us with specific consents, we may also use and disclose your Personal Data in relation to providing services and extending benefits to you, including promotions, loyalty and reward programmes, sending you other information on our products, services, offers or promotions which may be of interest to you and conducting market research to develop special offers, promotional and/or marketing programmes and administering contests, competitions and conducting lucky draws, including, where necessary, announcing the results of these contests, competitions and lucky draws and identifying and contacting the winners.
3.7. In relation to particular products or services or in your interactions with us, we may also notify or have specifically notified you of other purposes for which we collect, use or disclose your Personal Data. If so, we will collect, use and disclose your Personal Data for these additional purposes as well, unless we have specifically notified you otherwise.
3.8. Your Personal Data will be protected and kept confidential, but subject to the provisions of any applicable law, your Personal Data may, depending on the products or services concerned, be disclosed to third parties set out below. Such disclosure may be subject to additional legal requirements under applicable law, depending on the nature of such transfer to third parties. Your Personal Data will, in each case, only be disclosed to the extent necessary and proportionate. The third parties are:
a) other divisions or entities within the AHR Group;
b) our agents, contractors, third party service providers and specialist advisers who have been contracted to provide us with administrative, financial, research, operational or other services in pursuance of the purposes set out in this Policy, such as telecommunications, information technology, payment, payroll, processing, training, market research, storage and archival;
c) any third party business partners who offer goods and services or sponsor contests or other promotional programmes, whether in conjunction with us or not, and where permitted by applicable laws;
d) insurers or insurance investigators and credit providers;
e) our professional advisors such as our auditors and lawyers;
f) relevant government regulators or authority or law enforcement agency to comply with any laws or rules and regulations imposed by any governmental authority;
g) anyone to whom we transfer or may transfer our rights and obligations, including, for example, where we obtain the services of a third party organisation to handle any aspect of the processing of your Personal Data for the purposes notified to you in accordance with this Policy;
h) banks, credit card companies and their respective service providers; and
i) any other party as may be consented to by you, as specified by you or as may be notified to you by us in subsequent notices.
3.9. We require that organisations outside the AHR Group which handle or obtain Personal Data as service providers acknowledge the confidentiality of this data, undertake to respect any individual’s right to privacy and comply with the PDPA, the GDPR and any other applicable data protection laws. As a requirement under these laws, we may be required to have specific agreements in place with such third parties to regulate and safeguard your data protection rights. We also require that these organisations use this information only for our purposes and follow our directions with respect to this information.
4. Transfer of Personal Data
4.1. Your Personal Data may be stored in external servers located overseas. In addition, as described above, in carrying out our business, it may be necessary to share information about you with and between our related corporations and third party service providers, some of which may be located in countries outside your country of residence. Such countries may not afford a standard of protection similar to those in your country of residence. However, we will take reasonable steps to ensure that your Personal Data transmitted outside of your country of residence is adequately protected. In addition, we will ensure that such transfers comply with the requirements of the applicable data protection laws.
5. Retention of Personal Data
5.1. We may retain your Personal Data for as long as it is necessary for the purposes it has been collected, and (i) in most cases, up to seven (7) years; or (ii) in respect of our activities in the EU, up to ten (10) years, unless otherwise permitted by applicable law or in order to defend legal claims. Where we no longer require your Personal Data for those purposes, we will cease to retain such Personal Data in accordance with our internal retention policy.
6. Your Rights
6.1. You have the following rights, under applicable data protection laws (except where the exercise of these are restricted under applicable laws – for example, due to judicial proceedings or the carrying out of investigations), which can be exercised by contacting our Marketing Department at the contact details provided in paragraph 11.1 below (“Marketing Department”):
a) you have the right to obtain from us confirmation as to whether or not your Personal Data is being processed and to request a copy of your information. Where legally required, we can provide your information in an easily accessible format and assist in transferring some of this information to third parties;
b) you are entitled to rectify your Personal Data. We endeavour to ensure that all Personal Data we have about you is accurate and up-to-date. We understand that this information changes frequently with changes of address and other personal circumstances. We encourage you to contact us as soon as possible to enable us to update any Personal Data we have about you. Incomplete or outdated Personal Data may result in our inability to provide you with products and services you have requested;
c) in certain circumstances, you have the right to request to have your Personal Data deleted or the processing of which restricted;
d) if we process your information based on our legitimate interests explained above, or in the public interest, you can object to this processing in certain circumstances. In such cases, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is necessary for legal reasons. Where we use your data for direct marketing purposes, you can always object using the unsubscribe link in such communications or by contacting us at the details in paragraph 11.1 below;
e) to prevent any processing of Personal Data that is causing or is likely to cause unwarranted and substantial damage or distress to you or another individual;
f) to be informed about any use of your Personal Data to make automated decisions about you where such decisions produce legal effects or have similarly significant effects on you, and to obtain meaningful information about the logic involved, as well as the significance and the envisaged consequences of this processing; and
g) to lodge a complaint about the way in which your Personal Data is being used to a supervisory authority.
6.2. Where we rely on your consent to use your Personal Data, you have the right to withdraw that consent at any time. If you withdraw your consent to any or all purposes and depending on the nature of your request, we may not be in a position to continue to provide our products or services to you. Please note, however, that if you have provided us consent in respect of the use of your telephone number(s) for receiving marketing or promotional information, any such consent provided will not be affected by your withdrawal of your other consent in accordance with the terms set out in this Policy. If you do not wish for your telephone number(s) to be used for receiving marketing or promotional information, please contact our Marketing Department and specify that you wish to withdraw your consent for such purpose.
6.3. Where mandated under the applicable data protection laws, your exercise of the rights described or referred to above shall be free of charge. In all other situations, we may charge a fee in accordance with Section 30 of the PDPA.
6.4. If you want to exercise any of your rights or if you wish to raise a complaint on how AHR Group has handled your Personal Data, you may contact our Marketing Department at the contact details provided in paragraph 11.1 below.
7. Management and Security
7.1. We have a Marketing Department to oversee our management of your Personal Data in accordance with this Policy and the applicable data protections law.
9. Third-Party Sites
10. Third Party Modules
11. How to contact us
11.1. If you have any questions about this Policy or any queries relating to your Personal Data, or you would like to obtain access and/or make corrections to your Personal Data records, please contact our Brand & Content Department:
Brand & Content Department
Attana Hotels & Resorts Sdn. Bhd.
Lot 4.1, Level 4
10, Jalan Binjai,
50450 Wilayah Persekutuan,
Tel: 603-7490 3958
12. Governing Law
12.1. This Policy and your use of this website shall be governed in all respects by the laws of Malaysia.
For the avoidance of doubt, the applicable data protection laws will apply to the processing of your Personal Data.
13. Review of this Policy
13.1. This Policy will be reviewed from time to time by us. We may also from time to time update this Policy to take account of new laws and technology, changes to our operations and practices and the changing business environment. If you are unsure whether you are reading the most current version, please contact us.
13.2. In the event of any inconsistencies between the English version and other translations of this Policy, the English version shall prevail.