Updated: 01 JUNE 2019
The Company is established under the laws of Malta with registered address at Embassy Complex, St. Lucia Street, Valletta Malta (“We”/”Us”/”Our”).
We are committed to respecting your privacy. If you wish to contact Us about Our privacy practices please feel free to do so by post at the above registered address or by email at [email protected]. You may also wish to contact us by telephone on 21227436
Our Data Protection Officer may be contacted by email at [email protected] or by telephone on 21227436.
Please read this Privacy Notice carefully to understand our practices with respect to your Personal Data.
References to “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processed”, “Processing”, “Data Protection Officer” and “Data Processor” in this policy have the meanings set out in, and will be interpreted in accordance with the applicable laws. “Applicable Laws” shall mean the relevant data protection and privacy laws, including but not limited to, the Data Protection Regulation (EU) 2016/679, and the Data Protection Act, Chapter 440 of the Laws of Malta and subsidiary legislation thereto, as may be amended from time to time.
We may update this Privacy Notice in Our sole discretion including as result of a change in Applicable Law or processing activities. Any such changes will be communicated to you prior to the commencement of the relevant processing activity.
What amounts to Personal Data?
The term “Personal Data” refers to all personally identifiable information about you, such as your name, surname, address, e-mail address, telephone number (including mobile number), and includes all personal information which may be processed and that can be identified with you personally.
Other categories of Personal Data may include:
Personal details: passport information, visa information, gender, birth date, national identification information, disability information, photographs and images.
Reservation details: travel history, groups you are associated with when you stay at our hotel, account applications, and other information related to your reservation, stay or visit to The Embassy Valletta Hotel.
Payment information: payment card number and other card information
How do we collect Personal Data?
Generally, you would have provided your Personal Data to Us. However, in some instances, We may collect Personal Data about you from third party sources, such as online searches or from public registers. Third parties such as Our clients and business partners, may also have provided your Personal Data to Us.
Active information collection:
We actively collect information from our guests. Examples include when you communicate directly with us via e-mail and by filling in online forms on our Website (or via third party websites). You may also provide us with Personal Information during registration and check-in at our property (for example, when you complete our hard copy registration form when you register with us in person).
Other examples of where we actively collect your information include: (i) when you register your interest in booking a room or other experience with us; and (ii) for sales enquiries and transactions.
Passive information collection:
In some circumstances we may process information on the basis of (i) your related interactions with us (for example, the web page from which you navigated to the Website), or (ii) Personal Information that we have received or obtained from a third party (for example, publicly available information sources). In these circumstances, your Personal Information may be said to have been passively collected (that is, gathered without you actively providing the information).
An example of where your Personal Information may be passively collected is when you use the Website. Each time you use the Website, we will automatically collect the following information:
- Details of your use of the Website including your username, city, country, page views, searches
- Technical information, including your device model, operating system of the machine running your web browser, type and version of your web browser, IP address, date and time when you accessed the Website
- Web page download information
- General Website usage information
The use of the information and its purpose
We may collect, process and otherwise use your Personal Information for purposes that are required by applicable law, regulations or other legally binding instruments or to allow us to fulfil our business needs and legal obligations. These purposes may include the following:
- to administer, improve and develop the Website;
- for administration and completion of bookings, reservations and registrations;
- to manage our relationship with you and (if relevant) the organisation that you represent, including providing information regarding our products and services, customer service and concierge services;
- for arranging, planning and booking group events or meetings at our properties;
- to administer membership, rewards programmes, promotional offers and related offers;
- to personalise your user experience (e.g. by tailoring the content delivered to you on our Website);
- for legal disputes, regulatory investigations and compliance purposes;
- to assist us in providing the services you request at any of our properties and to ensure we meet your needs while you are staying with us and/or to allow us to contact you in relation to matters that arise from your stay with us.
Video surveillance and location-based data:
Like many hotels, we value your safety and security. We may therefore record or capture images of our visitors and guests in public areas and certain location-based data (e.g. data from your room key cards and other entry passes). We may also process your Personal Information by using CCTV principally for the purposes of protecting you, our visitors, other guests and our staff.
The overriding legitimate interests of our Company follow from our obligation to ensure that our guests have a safe stay in the hotel as well as from our interest in enforcing our tangible and intangible claims and safeguarding our rights as well as defending against unjustified claims.
Categories of personal data recipients:
Potential recipients of the data are the criminal prosecution authorities as well as persons or entities which we entrust with safeguarding our rights (such as lawyers). We do not intend to transmit the data to a third country or an international organisation.
Period of storage of personal data:
Where the surveillance footage is recorded, the recordings concerned will be deleted after 72 hours at the latest; after expiry of this storage period, only such data will be stored which are necessary for clarifying specific incidents or enforcing claims based on a specific event (e.g. a criminal offence). Such data will likewise be deleted after the purpose for the continued storage no longer exists.
We typically collect Personal Data and process it for the following purposes:
- for the purposes of providing you with the Services that you request;
- for the purpose of becoming a member of the Embassy Cinemas Loyalty Club. When you provide your details to be part of our loyalty club, we process your personal data to make you eligible for the different offers done from time to time;
- for direct marketing, and to benefit from exclusive offers, receive latest news and offers which marketing shall be conducted by email and mobile (the “Direct Marketing”);
- to manage our relationship with you and provide you with information related to your registration, purchases or other information;
- to comply with legal obligations imposed on Us;
- to provide you with statements and to provide you with products and services;
- for the detection and prevention of fraud and other criminal activity which we are legally bound to report;
- for the development and improvement of our systems, products and services;
- any Personal Data lawfully generated by Us in the course of executing your instructions; and
- any Personal Data which you may voluntarily provide to Us;
- for purposes of a legitimate interest pursued by Us or by a third party, provided such interest is not overridden by your interests, fundamental rights and freedoms; and
- the purposes you would have requested when providing your Personal Data to Us.
Irrespective of the manner that We have collected your Personal Data, We will only process such data for the purposes of rendering you with the Services and for the purposes indicated in this Notice, including the fulfilment of any legal or regulatory obligation imposed on Us.
Legal Bases of Processing Personal Data
The legal bases of processing your Personal Data are the following:
- Entering into and performing the obligations for the purposes of providing you with the Services that you request from us and to participate in the Embassy Cinemas Loyalty Club. Providing such Personal Data is necessary for our performance of our Terms and Conditions with you]. The consequence for not doing such processing would be that we would be unable to provide you with the Services;
- Our legitimate interests – to process your Personal Data for safety and security, such as the recording of telephone conversations or electronic communications which result or may result in transactions where recording will take place. When we process your Personal Data on the basis of Our legitimate interests, we ensure that the legitimate interests pursued by Us are not overridden by your interests, rights and freedoms;
- Your explicit consent – with regard to the processing of Your personal data for Direct Marketing; and
- We might also have to process Your personal data to comply with legal obligations imposed on Us, such as transferring personal data to relevant authorities
On the basis of Our legitimate interests or compliance with legal obligations, as applicable, We may also process your Personal Data for the purposes of establishing, exercising or defending legal proceedings.
We will ensure that we have additional grounds for processing your Personal Data if processing of Data is envisaged. We might also process your Personal Data on the basis of your explicit consent, in which case we will process your data for the purposes for which your explicit consent was requested.
Recipients of Your Personal Data
We may share your Personal Data with third party recipients who are:
- Selected individuals within Our Company, on a need-to-know basis;
- Any service providers that may have access to your Personal Data in rendering Us with their support services, including IT and accounting service providers;
- Third parties to whom disclosure may be required as a result of our provision of the Services and your participation in the Embassy Hotel Privilege Card;
- Any business partners to whom you may have requested that we transfer your Personal Data;
- Third parties to whom disclosure may be required as a result of legal obligations imposed on Us;
Unless specifically instructed and consented by you, we do not share your Personal Data with any entity located outside of the EU or EEA.
Automated Decision-Making and Profiling
For as long as We retain your Personal Data, you have certain rights in relation to your Personal Data including:
- Right of access – you have the right to ascertain the Personal Data We hold about you and to receive a copy of such Personal Data;
- Right to complain – you have the right to lodge a complaint regarding the processing of your Personal Data with the supervisory authority for data protection matters. In Malta this is the Information and Data Protection Commissioner (contact details provided below);
- Right to Erasure – in certain circumstances you may request that We delete the Personal Data that we hold about you;
- Right to Object – you have a right to object and request that We cease the processing of your Personal Data where We rely on Our, or a third party’s legitimate interest for processing your Personal Data;
- Right to Portability – you may request that We provide you with certain Personal Data which you have provided to Us in a structured, commonly used and machine-readable format (except where such personal data is provided to us in hand-written format, in which case such personal data will be provided to you, upon your request, in such hand-written form). Where technically feasible, you may also request that we transmit such Personal Data to a third party controller indicated by you;
- Right to Rectification – you have the right to update or correct any inaccurate Personal Data which We hold about you;
- Right to Restriction – you have the right to request that We stop using your Personal Data in certain circumstances, including if you believe that We are unlawfully processing your Personal Data or the Personal Data that We hold about you is inaccurate;
- Right to withdraw your consent – where Our processing is based on your consent. Withdrawal of your consent shall not affect the lawfulness of the processing based on your consent prior to the withdrawal of your consent; and,
- Right to be informed of the source – where the Personal Data We hold about you was not provided to Us directly by you, you may also have the right to be informed of the source from which your Personal Data originates.
Please note that your rights in relation to your Personal Data are not absolute and we may not be able to entertain such a request if we are prevented from doing so in term of an applicable law.
You may exercise the rights indicated in this section by contacting Us or Our Data Protection Officer at the details indicated above.
Keeping your data secure
We shall implement and maintain appropriate and sufficient technical and organisational security measures, taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to protect your personal data against any unauthorised accidental or unlawful destruction or loss, damage, alteration, disclosure or access to personal data transmitted, stored or otherwise processed and shall be solely responsible to implement such measures.
We shall ensure that our staff who process your data are aware of such technical and organisational security measures and we shall ensure that such staff are bound by a duty to keep your personal data confidential.
The technical and organisational security measures in this clause shall mean the particular security measures intended to protect your personal data in accordance with any privacy and data protection laws.
If you have any complaints regarding Our processing of your Personal Data, please note that you may contact Us or Our Data Protection Officer on any of the details indicated above. You also have a right to lodge a complaint with the Office of the Information and data Protection Commissioner in Malta (www.idpc.gov.mt).
Where You Provide Us with Personal Data Related to Third Party Data Subjects
If you are a trader, a company, or other corporate entity, and you supply to Us Personal Data of third party Data Subjects such as your employees, affiliates, service providers, customers or any other individuals connected to your business, you shall be solely responsible to ensure that:
- you immediately bring this Privacy Notice to the attention of such Data Subjects and direct them to it;
- the collection, transfer, provision and any Processing of such Personal Data by You fully complies any applicable laws;
- as Data Controller You remain fully liable towards such Data Subjects and shall adhere to the Applicable Law;
- you collect any information notices, approval, consents or other requirements that may be required from such Data Subject before providing Us with their Personal Data;
- you remain responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible.
You hereby fully indemnify Us and shall render Us completely harmless against all costs, damages or liability of whatsoever nature resulting from any claims or litigation (instituted or threatened) against Us as a result of your provision of said Personal Data to Us.
We reserve the right to send our guests offers from our range of services by means of direct advertising using e-mail. Our legitimate interest in conducting direct advertising consists of being able to offer our guests target-group-oriented individual offers that are created on the basis of a previous booking (transaction) and/or an existing customer relationship.
The personal data you share with us in the case of a booking can be processed by us for the purposes of sending direct advertising for a period of 12 months after a transaction. If you do not make any further bookings or transactions of any other kind within this time frame, your personal data will no longer be processed for the purposes of direct advertising and will be deleted accordingly, provided that you have not subscribed to a newsletter or your personal data do not have to be stored further due to any other regulations.