- For the purpose of the EU General Data Protection Regulation (“GDPR”), the data controller is the Strand Palace Hotel & Restaurants Limited of 372 Strand, London WC2R 0JJ, trading as Strand Palace.
Information we may collect from you
- Information that you provide by filling in forms on strandpalacehotel.co.uk (“our site”) to use our products and services. This includes information provided when registering to use our site, subscribing to our newsletter, posting material or requesting further services, booking a room, including preferences about the room and its location, information about disabilities and dietary requirements. We may also ask you for information when you enter a competition or promotion sponsored by the Strand Palace, and when you report a problem with our site.
- Enquiries made when you contact our reservations team to make a booking or use the facilities at any of our properties. Facilities include, but are not limited to, meeting rooms, bars and/or restaurant, function rooms, and guest Wi-Fi.
- Records or correspondence should you contact us.
- Optional surveys we may ask you to complete that we use for research purposes.
- Details of transactions you carry out through our site and in the fulfilment of your booking.
- Information collected when you have provided your consent, in order to:
- Subscribe to any of our marketing communications
- Complete customer surveys, enter competitions or provide feedback.
- Information collected when we do business with you, which will usually include:
- Full or partial contact details including names and addresses (including business details if you are making a corporate booking), telephone and email details.
- Details about diet, disability or any other preferences that you may have concerning special requirements.
- Payment card information should you choose to use this form of payment for purchasing or guaranteeing use of our products and services.
- Your birthdate and other significant dates for making special offers to you around your birthday and other anniversaries.
- Passport and/or identity details for our guests visiting from overseas.
Information and personal data collected automatically
- Website data collected through our site
- CCTV recordings
- We operate CCTV systems. These are in operation and video recordings may be made. This activity is carried out for security and service reasons for the better management of the Strand Palace Hotel and security for all its clients and staff.
How we use and store your information
- Storage of your personal data, regardless of when or who you book the Strand Palace through, will be made in
- Centralised systems which are under the control of the Strand Palace Hotel and accessible by authorised staff of the Strand PalaceHotel or our suppliers, and
- Some local systems controlled solely by the Strand Palace.
- Information we collect about you is used to process your bookings, answer your queries, process your gift card purchases, provide our hotel and restaurant facilities and services, and enable you to manage your website user account. With your consent where appropriate, we will contact you via our marketing and sales channels (email/phone/post) about other related products and services we provide which we think may be of interest to you. Our marketing communications are generally sent by email but we may sometimes use other methods of delivery such as by post or SMS.
- Personal data is mainly collected, stored and processed in two different stages:
- Before you visit our hotel
- Our Site – When you visit our site (strandpalacehotel.co.uk), we collect information about your use of our site. This includes both information we collect directly from you, and information we collect about your behaviour. This information may constitute ‘personal data’ under applicable law. We use this information to provide you with (personal) offers, both on our Website and via advertisements on other websites you visit.
- General Advertising – We may use other companies to serve third-party advertisements when you visit and use our site. These companies may collect and use click stream information, browser type, time and date, subject of advertisements clicked or scrolled over during your visits to our site and other websites in order to provide advertisements about goods and services likely to be of interest to you. These companies typically use tracking technologies to collect this information. Other companies’ use of their tracking technologies is subject to their own privacy policies.
- Targeted Advertising – We use our site information to provide you with (personal) offers, both on our site and via advertisements on other websites you visit. In order to serve offers and advertisements that may interest you, we may display targeted advertisements on our site, or other digital properties or applications in conjunction with our content based on information provided to us by our users and information provided to us by third parties that they have independently collected. We do not provide personal data to advertisers when you interact with an advertisement.
- When you visit, or have visited, the Strand Palace
- Transactional Communications – When you make a reservation, you will have to provide us with your name, email address, phone number, the dates you are staying with us and a credit card token or other payment information as applicable. We use this personal data to process the reservation, for billing purposes, and to allow us to communicate with you about your reservation. When you stay in the Strand Palace Hotel, we will collect personal data about your preferences, use of our services, and location.
- We may at each of the stages outlined above use your personal data but only when and to the extent the law allows us to. Most commonly, we will use your personal data in the following circumstances where:
- We need to perform the contract we are about to enter into or have entered into with you.
- It is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- We need to comply with a legal or regulatory obligation.
- You have provided your consent
Legal bases that allow for the processing of your personal data
- For your convenience, we have made an overview of activities that involve the processing of your personal data, and the corresponding legal basis/legal bases that allow us to process this data.
Type of information & purpose of use
|Personal data used for administrative purposes.||Consent, where required|
In order to enter into or perform a contract to which you are a party
|Information that government regulations require us to ask you when you arrive at the Strand Palace. This may include information such as birth date, nationality, place of residence, date of arrival and profession.||Compliance with a legal obligation|
|Information used to verify your identity when you arrive at the Strand Palace. We will use your passport or other identification documents. We will not store a copy of your passport, except to the extent permitted by law.||In order to enter into or perform a contract to which you are a party|
For the purposes of our, or a third party’s, legitimate interests, including keeping our records up to date
|Personal data stored in our database(s), also after your transaction has been completed and after you have stayed in our hotel to the extent required by law, and you have opted to do so, to be able to contact you and welcome you again in the future.||Compliance with a legal obligation|
For the purposes of our legitimate interests, including:
keeping our records up to date and managing our on-going relationship with you
|Personal data transferred to servers located in the UK, or to servers located in countries within the European Economic Area (‘EEA’), which is required for technical and organisational reasons as many of our business purposes required cloud-based services.||In order to enter into or perform a contract to which you are a party|
For the purposes of our, or a third party’s, legitimate interests, including the provision of administration and IT services and network security, and in preventing fraud
|Data used to process your booking, howsoever made directly via our website or via a third party (online) travel agent.||In order to enter into or perform a contract to which you are a party|
|Services and products shared via email, telephone or other media that you request from us, or in which we may think you are interested. These marketing communications contain commercial offers and news of the Strand Palace and related third parties. The email newsletter is sent to the email address you provide. If you no longer wish to receive the newsletter or correspondence, you can unsubscribe and we will no longer send you these marketing communications.||Consent, where required|
In order to enter into or perform a contract to which you are a party
for the purposes of our, or a third party’s, legitimate interests
|Credit card data or other payment data used for invoicing purposes.||In order to enter into or perform a contract to which you are a party|
|Data collected via your use of our Wi-Fi services for security and anti-piracy purposes (such as: IP address, your device’s MAC address, connections made, location, etc.). We do not process the content of traffic.||Consent, where required|
For the purposes of our, or a third party’s, legitimate interests, including maintaining appropriate IT and network security
|We endeavour to provide a high level of security of both the information we store as well as our facilities, (IT) systems and premises, by means of encryption, physical security measures, passwords, company procedures and policies and professional IT support. The Strand Palace and its vendors may process personal data in this context.||For the purposes of our, or a third party’s, legitimate interests, including maintaining appropriate physical and IT/network security|
|We endeavour to prevent our services and facilities (properties) from being used for illegal purposes of any kind. The Strand Palace and its vendors may process personal data in this context, such as through CCTV surveillance.||Vital interests|
For the purposes of our, or a third party’s, legitimate interests, including protecting you during your stay
|We engage in activities required for compliance with legal obligations, third-party claims or requests from public authorities, such as (i) the mandatory storage/containment of certain information because of a criminal investigation, (ii) requests from third parties for access to information (iii) any further instructions from third parties, such as supervisory authorities, that involve data processing.||Consent, where required|
In order to enter into or perform a contract to which you are a party
For the purposes of our, or a third party’s, legitimate interests
Compliance with a legal obligation
|Special categories of personal data in relation to diet or disability where required.||Consent|
- We may collect information about your computer, including your IP address, operating system and browser type.
- We collect this information for system administration and to report aggregate information to our advertisers.
- This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
- We operate an optional policy for cookies, which means that you will be prompted if you are happy with the cookie usage set out below. If you are not happy, you should not use this site and delete Strand Palace cookies from your browser.
- You can also block cookies by browsing the site using your browser’s anonymous usage setting. This is called “Incognito” in Chrome, “InPrivate” in Internet Explorer and “Private Browsing” in Firefox and Safari.
- We automatically track certain information about you based upon your behaviour on our site. We use this information to do internal research on our users’ demographics, interests, and behaviour. This helps us to better understand and serve our users.
- We use web analytics tools to analyse site usage, including how our users arrive at our site, what they do on the site and what browser and operating system they use. This analytics data is not tied to personally identifiable information.
- We use a number of different cookies on our site. You can find out more about what cookies are and how to control and delete them at www.aboutcookies.org.
- Google Analytics – We use this to understand how the site is being used in order to improve the user experience. All user data is anonymous.
- Email tracking – We include tracking on some of our emails so that we can tell how much traffic they send to our site and analyse open and click rates. Sometimes we track and use individual users’ responses to our emails, for instance in order to re-email those who did not click a message on first receiving it. If you want to be sure that none of your email activity is tracked, you should opt out of the Strand Palace’s emails.
- Surveys & Contests – From time to time our site may request information from users via surveys, contests or for a particular service (e.g. newsletter). Participation in these surveys or contests is voluntary. Information requested will include contact information (as supplied to the site during registration) and supplementary information on your interests, opinions and preferences. We will use the contact information to notify winners. We will not publish winners’ details on the site though on request we will provide details of any winner’s name and organisation in promotional activity. If the survey or contest has a sponsor then we may share information given by entrants with the sponsor, but only with the user’s consent.
- We employ appropriate security measures to protect the loss, misuse and alteration of the information under our control.
- For the Strand Palace family of sites, we employ Secure Sockets Layer (SSL) software, which encrypts information you input, as an additional security measure.
- Where possible, your personal data will be encrypted and stored on a virtual private server that is secured by means of state of the art protection measures
- As no online data transmission can be guaranteed to be totally secure, we (like all web sites) cannot guarantee 100% security of any information you transmit to us on our site.
- A strictly limited amount of people has access to your personal data.
Sharing Your Data
- We may share your personal data as follows:
- Third Parties Designated by You – We may share your personal data with third parties where you have provided your consent to do so.
- Our Third Party Service Providers – We may share your personal data with our third party service providers who provide services such as payment processing, information technology and related infrastructure provision, business support (operational and administrative), customer service, the processing and delivery of marketing communications to you, email delivery, auditing and other similar services. These third parties are only permitted to use your personal data to the extent necessary to enable them to provide their services to us. They are required to follow our express instructions and to comply with appropriate security measures to protect your personal data. Third parties are subject to confidentiality obligations and may only use your personal data to perform the necessary functions and not for other purposes.
- Affiliates – We may share some or all of your personal data with our affiliates, in which case we will require our affiliates to comply with this Privacy Statement. In particular, you may let us share personal data with our affiliates where you wish to receive marketing communications from them.
- Other Disclosures – We may share personal data as we believe necessary or appropriate:
- To comply with applicable laws
- To comply with lawful requests and legal process, including to respond to requests from public and government authorities to meet national security or law enforcement requirements
- To protect our rights, privacy, safety or property, and/or that of you or others.
- We do not share your data with any third parties outside of the above processing arrangements and we do not share your data with any business external to our group for their own marketing purposes. From the data we collect, you should only ever receive marketing communications from ourselves.
- We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp’s privacy practices here.
International data transfers
- In some instances, it is necessary to transfer your personal data overseas. Any transfers will be made in full compliance with all aspects of the applicable regulations.
- For many of our business purposes, we use cloud-based services. Therefore, for technical and organisational reasons, it is necessary that your personal data is transferred to servers located in the UK, or to other servers located within the EEA.
- Our email marketing provider is Mailchimp, as we send out email campaigns data is passed through Mailchimp’s servers which are located in the USA.
Disclosure of your information
- We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If Strand Palace Hotel and Restaurants Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- You can also exercise your rights at any time by contacting us at email@example.com or by writing to us at Data Privacy Officer, Strand Palace, 372 Strand, London WC2R 0JJ.
- The GDPR provides the following rights for individuals:
- Right to revoke consent – If we process personal data on the basis of your consent, you have the legal right to revoke such consent at any time. We will then cease the relevant processing activity going forward.
- Right of access to your information – If you want to know what personal data we have collected or process about you, you may request us to provide a copy of your personal data by sending an email to firstname.lastname@example.org. We will ask you to identify yourself. We will not provide you with a copy of your personal data to the extent that the rights and freedoms of others are or may be adversely affected.
- Right to rectification and erasure of data, and restriction of processing – If you believe that our processing of your personal data is incorrect, inaccurate, unlawful, excessive, incomplete, no longer relevant, or if you think that your data is stored longer than necessary, you may ask us to change or remove such personal data or restrict such processing activity, by sending an email to email@example.com.
- Right to data portability – You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format, in accordance with Article 20 of the General Data Protection Regulation.
- Right to object – You have the legal right to object, on grounds relating to your particular personal situation, at any time to the processing of your personal data. Furthermore, you have the right to object at any time to our processing of your personal data for direct marketing purposes or to profiling. You can do this by either
- Opting out by using the option we provide in the relevant direct marketing message (e.g. an email newsletter), or
- By sending an email to firstname.lastname@example.org, or
- Writing to: General Manager, Strand Palace Hotel, 372 Strand, LondonWC2R 0JJ
- For the sake of clarity – Without prejudice to the foregoing we are at all times entitled to send you messages that do not constitute direct marketing, i.e. service messages.
- General information relevant for all requests and queries
- Nothing in this Privacy Statement is intended to provide you with rights beyond or in addition to your rights as a data subject under applicable mandatory data protection law.
- We will use reasonable endeavours to respond to your request or query within one month. We are entitled to extend this term by another two months if the complexity of the situation so requires. If your request is manifestly unfounded or excessive we may either
- Charge you a fee, or
- Refuse to process your request.
- With respect to access requests we may also charge you for extra copies. If we decide not to honour your request or answer your query, we will explain our reasons for doing so in our reply.
Protection and storage of your data
- We have used and will continue to use reasonable endeavours to protect your personal data against loss, alteration or any form of unlawful use. Where possible, your personal data will be encrypted and stored on a virtual private server that is secured by means of state-of-the-art protection measures. A strictly limited amount of people have access to your personal data.
- We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Retention of information
- Should you choose to unsubscribe from our mailing list, please note that your personal data may still be retained on our database to the extent permitted by law.
Access to information
- The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act.
- In order for us to provide you with details of the information we hold about you, or to enable you to correct or transfer information, you are required to complete a Data Subject Information Request form, obtained by emailing email@example.com.
- Where appropriate, we will notify you of changes to our policy by email.