Privacy Notice

Major Development Hotels and Resorts Co.,LTD

Our commitments to protecting personal data

Major Development Hotels and Resorts Co.,LTD. (“We”) consider you an important customer. Our first priority is to offer you exceptional stays and experiences throughout the world. Your complete satisfaction and confidence is absolutely essential to us. That is why, as part of our commitment to meeting your expectations, this Privacy Notice formalizes our commitments under the Personal Data Protection Act B.E. 2562 to protect your personal data. As a data controller, we use this Privacy Notice to describe to you how we your personal data.

Definitions

“Personal data” means any information relating to an individual, which enables the identification of the owner of such Personal Data, whether directly or indirectly, excluding the data of a deceased person in particular.

“Sensitive personal data” means Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data (such as facial model data, iris or retina image data, or fingerprint data), or any data which may affect the data subject in the same manner as prescribed by the Personal Data Committee.

“Process” or “Processing” means collection, use or disclosure.

“Data controller” means a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

“Data processor” means a person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not the Data Controller.

“Hotel Group” means Marrakesh Hua Hin Resort and Spa and Maven Stylish Hotel Hua Hin

Our principles for protecting your personal data

In accordance with applicable regulations, in particular the Personal Data Protection Act B.E. 2562, we have instituted the following principles to protect your personal data:

• Lawfulness: We use personal data only if we obtain the consent of the person, or it is necessary to do so for the performance of a contract to which the person is a party, or it is necessary for compliance with a legal obligation, or it is necessary in order to protect the vital interests of the person, or we have a legitimate interest in using personal data and our usage does not adversely affect the persons’ rights.
• Fairness: We can explain why we need the personal data we collect.
• Purpose limitation and data minimisation: We only use personal data that we really need. If the result can be achieved with less personal data, then we make sure we use the minimum data required.
• Transparency: We inform people about the way we use their personal data.
• Rights of data subjects: We facilitate the exercise of the people’s rights: access to their personal data, rectification and erasure of their personal data and the right to object to the use of their personal data
• Storage limitation: We retain personal data for a limited period.
• Integrity and confidentiality: We ensure the security of personal data. If a third party uses personal data, we make sure it has the capacity to protect that personal data. If personal data is transferred outside Thailand, we ensure this transfer is covered by specific legal tools. If personal data is compromised (lost, stolen, damaged), we notify such breaches to the respective country’s responsible authority and to the person concerned, if the breach is likely to cause a high-risk in respect of the rights and freedoms of this person.

For any questions concerning the principles, please contact our Data Protection Officer whose details appear in the clause "Your rights".

What personal data is collected?

At various times, we may collect information about you and/or the persons accompanying you, including the following:

• Contact details (for example, last name, first name, telephone number, email)
• Personal information (for example, date of birth, nationality)
• Information relating to your children (for example, first name, date of birth, age)
• Your credit card number (for transaction and reservation purposes)
• Information contained on a form of identification (such as ID card, passport or driver licence)
• Your membership number for the loyalty program or another partner program
• Your arrival and departure dates
• Your preferences and interests (for example, smoking or non-smoking room, preferred floor, type of bedding, type of newspapers/magazines, sports, cultural interests, food and beverages preferences, etc.)
• Your questions/comments, during or following a stay with us
• Technical and location data you generate as a result of using our websites and applications.

The information collected in relation to minors is limited to their name, nationality and date of birth, which can only be supplied to us by an adult. We would be grateful if you could ensure that your children do not send us any personal data without your consent (particularly via the Internet). If such data is sent, you can contact the Personal Data Officer (see clause "Your rights" below) to arrange for this information to be deleted.

In order to meet your requirements or provide you with a specific service (such as dietary requirements), we may have to collect sensitive personal data, such as information concerning race, ethnicity, political opinions, religious and philosophical beliefs, union membership, or details of health or sexual orientation. In this case, we will only process this data if you provide your express prior consent.

When is your personal data collected?

Personal data may be collected on a variety of occasions, including:

Hotel activities:

• Booking a room
• Checking-in and paying
• Hotel stays and services provided during a stay
• Eating/drinking at the hotel bar or restaurant during a stay
• Requests, complaints and/or disputes.

Participation in marketing programs or events:

• Signing up for loyalty programs
• Participation in customer surveys (for example, the Guest Satisfaction Survey)
• Online games or competitions
• Subscription to newsletters, in order to receive offers and promotions via email.

Transmission of information from third parties:

• Tour operators, travel agencies (online or not), GDS reservation systems and others

Internet activities:

• Connection to websites (IP address and cookies)
• Online forms (online reservation, questionnaires, pages on social networks, social networks login devices such as Facebook login, conversations with chatbot, etc.).

Purposes of collecting your personal data and how long do we retain it?

The table below sets out why we process your data, the lawful basis for the processing and the associated retention period:

Purpose	Lawful basis	Retention period
Meeting our obligations to our customers.	Performance of a contract with you (Art. 24 (3)). Necessary to comply with a legal obligation (Art. 24 (6)). Necessary for our legitimate interest in running our business and providing you with requested products and services (Art. 24 (5)).	10 years from the booking in accordance with legal obligations.
Managing the reservation of rooms and accommodation requests, in particular the creation and storage of legal documents in compliance with accounting standards.
Managing your stay at the hotel: Managing access to rooms Monitoring your use of services (telephone, bar, pay TV etc.).	Performance of a contract with you (Art. 24 (3)). Necessary for our legitimate interest in running our business and providing you with requested products and services (Art. 24 (5)).	For the duration of your stay.
Managing our relationship with customers before, during and after your stay: Managing the loyalty program Inputting details into the customer database Predicting and anticipating future customer behaviors Developing statistics, commercial scores and carrying out reporting of the same Providing context data for our marketing tools. This happens when a customer visits a website or makes a reservation Understanding and managing the preferences of new or repeat customers	Performance of our contract with you and for the management of your membership in the loyalty program (Art. 24 (3)). Necessary for our legitimate interests in promoting our services (Art. 24 (5)). For direct marketing purpose, consent will be obtained (Art. 24)	3 years from the last date on which you have interacted with us in any way, if you are not a member of the loyalty programme. 6 years from the last date on which you have interacted with us in any way, if you are a member of the loyalty programme.
Improving our hotel service by: Personalising your check-in, improving the quality of service and customer experience Processing your personal data through our customer marketing program in order to carry out marketing operations, promote brands and gain a better understanding of your requirements and wishes Adapting our products and services to better meet your requirements Customising the commercial offers and promotional messages we send you Informing you of special offers and any new services by our Hotel Group or one our commercial partners.	Performance of contract with you in relation to the management of your membership in the loyalty program (Art. 24 (3)). For direct marketing purpose, consent will be obtained (Art. 24)	3 years from the last date on which you have interacted with us in any way, if you are not a member of the loyalty program. 6 years from the last date on which you have interacted with us in any way, if you are a member of the loyalty program.
Use a trusted third party to cross-check, analyse and combine your collected data at the time of booking or at the time of your stay, in order to determine your interests and develop your customer profile and to allow us to send you personalized offers.	For direct marketing purpose, consent will be obtained (Art. 24)	3 years from the last date on which you have interacted with us in any way, if you are not a member of the loyalty program. 6 years from the last date on which you have interacted with us in any way, if you are a member of the loyalty program.
Improving our services, in particular: Carrying out surveys and analyses of questionnaires and customer comments Managing claims/complaints Offering you the benefits of our loyalty program.	Performance of contract with you (for the management of your membership in the loyalty program) (Art. 24 (3)).	3 years from the last date on which you have interacted with us in any way, if you are not a member of the loyalty program. 6 years from the last date on which you have interacted with us in any way, if you are a member of the loyalty program. 6 years from the date of closure of your file in case of a claim or a complaint.
Securing and enhancing your use of websites, applications and services by: Improving navigation Maintenance and support Implementing security and fraud prevention.	Necessary for our legitimate interests in running our business, provision of administration and IT services and network security to prevent fraud (Art. 24 (5)).	13 months from the collection of the information.
Internal management of lists of customers having behaved inappropriately during their stay at the hotel (aggressive and anti-social behaviour, non-compliance with safety regulations, theft, damage and vandalism or payment incidents).	Necessary for our legitimate interests in running our business and to prevent fraud and the abuse of our property and staff (Art. 24 (5)).	Up to 122 days from the recording of an event.
Securing payments by determining the associated level of fraud risk. Depending on the results of the investigations carried out, we may take security measures and request the use of a different booking channel or for the use of an alternative payment method. These measures will have the effect of suspending the execution of the booking or, if the result of the analysis does not guarantee the safety of the order, of cancelling it. Fraudulent use of a means of payment leading to payment default may result in the entry of data in the incident file, which may lead us to block future payments or carry out additional checks.	Necessary for our legitimate interests in running our business and to prevent fraud (Art. 24 (5)).	90 days to our database to allow for analysis and controls and then 2 years in a separated database used for improving the system. In case of recording in the incident file, 2 years from recording or until regularization of the situation if earlier.
Securing properties and persons and preventing non-payments. For these reasons, we may refuse an “ineffective” customer’s reservation when he/she returns to the hotel. An "ineffective" customer means any customer whose behaviour has been inappropriate in the following ways: aggression and rudeness, non-compliance with the hotel contract, failure to observe safety rules, theft, damage and vandalism, or payment issues.	Necessary for our legitimate interests in running our business, securing properties and persons and preventing non-payments (Art. 24 (5)).	122 days from registration.
Conforming to any applicable legislation (for example, storing of accounting documents), including: Managing requests to unsubscribe from newsletters, promotions, tourist offers and satisfaction surveys Managing data subject’s requests regarding their personal data.	Necessary to comply with a legal obligation (Art. 24 (6)).	10 years from the booking in accordance with legal obligations.

Conditions of third-party access to your personal data

We share your data with a number of authorised people and departments in order to offer you the best experience in our hotels. The following teams may have access to your data:

• Hotel staff
• IT departments
• Commercial partners and marketing services
• Medical services if applicable
• Legal services if applicable
• Generally, any appropriate person within our Hotel Group entities for certain specific categories of personal data.

Sharing within our Hotel Group: in particular, the data related to your stays, preferences, satisfaction and, if the case may be, your loyalty program membership are shared between the hotels in our Hotel Group. This data is used to improve the quality of service and your experience in each of these hotels. In this context, your data is processed jointly by us and these hotels. In order to pursue this legitimate interest, whilst safeguarding your rights and liberties, a specific joint controllership agreement describes the obligations and responsibilities of us and these hotels. You may, at any time, object to the sharing of this data between us and other hotels in our Hotel Group by contacting the Data Protection Officer whose details appear in the clause "Your rights". You can also request a summary of the key points of the joint controllership agreement.

With service providers and partners: your personal data may be sent to a third party, which may be a data processor, for the purposes of supplying you with services and improving your stay, for example:

• External service providers: IT sub-contractors, international call centres, banks, credit card issuers, external lawyers, dispatchers, printers.
• Commercial partners: we may, unless you specify otherwise to the Data Protection Officer, enhance your profile by sharing certain personal information with its preferred commercial partners. In this case, a trusted third party may cross-check, analyse and combine your data. This data processing will allow privileged contractual partners to determine your interests and customer profile to allow us to send you personalized offers.
• Social networking sites: In order to allow you to be identified on the website without the need to fill out a registration form, we have put in place a social network login system. If you log in using the social network login system, you explicitly authorize us to access and store the public data on your social network account (e.g. Facebook, LinkedIn, Google, Instagram), as well as other data stated during use of such social network login system. We may also communicate your email address to social networks in order to identify whether you are already a user of the concerned social network and in order to post personalized, relevant adverts on your social network account if appropriate. You can object to this processing by exercising your rights. The details on how to do so appear in the clause "Your rights"
• With local authorities: We may be obliged to send your information to local authorities if this is required by law or as part of an inquiry. We will ensure that any such transfer is carried out in accordance with local regulations.

Protection of your personal data during international transfers

For the purposes set out in clause 6, we may transfer your personal data to internal or external recipients who may be in countries offering different levels of personal data protection. Consequently, in addition to implementation of this Privacy Notice, we employ appropriate measures to ensure secure transfer of your personal data to another entity or to an external recipient located in a country offering a different level of privacy from that in the country where the personal data was collected.

Data transfers to countries having different levels of personal data protection, are regulated by standard contractual clauses defined by suitable protection measures (i.e. adequate data protection standard and standard contractual clauses) under the Personal Data Protection Act B.E. 2562.

Data security

We take appropriate technical and organizational measures, in accordance with applicable legal provisions (in particular: Art. 37 of the Personal Data Protection Act B.E. 2562), to protect your personal data against illicit or accidental destruction, alteration or loss, misuse and unauthorized access, modification or disclosure. To this end, we have taken technical measures (such as firewalls) and organizational measures (such as a user ID/password system, means of physical protection etc.) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. In relation to the submission of credit card data when making a reservation, SSL (Secure Socket Layer) encryption technology is used to guarantee a secure transaction.

Cookies

We use cookies and other tracking technologies on its websites. To find out more about how we use these trackers and how to configure them, please see the pop-up cookies setting on our web page.

Your rights

As the data subject, you have the right to request us to take the following acts in relation to your personal data, to the extent permitted by the Personal Data Protection Act B.E. 2562:

• Right to withdraw consent: you have the right to withdraw consent for the us to process your personal data, for which you had given consent, any time which your personal data is retained with the us;
• Right of access: you have the right to access your personal data and to request the copy of your personal data, as well as request that we disclose any acquisition of your personal data for which you had not given consent;
• Right to rectification: you have the right to request us to rectify inaccurate personal data, or to add to the existing personal data which is incomplete;
• Right to erasure: you have the right to request us to erase your personal data, to the extent permitted by law;
• Right to restriction of processing: you have the right to request us to suspend the use of your personal data, to the extent permitted by law;
• Right to data portability: you have the right to transfer your personal data which you had provided us to another data controller, or to yourself, to the extent permitted by law;
• Right to object: you have the right to object to the processing of your personal data, to the extent permitted by law;

Marrakesh Hua Hin Resort and Spa (Data Protection Officer: DPO)

63/411 Moo Baan Nong Kae, T. Nong Kae, A.Hua Hin, Prachuap Khiri Khan 77110

Tel: +66 (0) 32 616 777

Email: reservations@marrakeshresortandspa.com

For the purposes of confidentiality and personal data protection, we will need to check your identity in order to respond to your request. In case of reasonable doubts concerning your identity you may be asked to include a copy of an official piece of identification, such as an ID card or passport, along with your request. A black and white copy of the relevant page of your identity document is sufficient. All requests will receive a response as swiftly as possible.

Updates

We may modify this Privacy Notice from time to time. Consequently, we recommend that you consult it regularly, particularly when making a reservation at the hotel.

Questions and contacts

For any questions concerning our personal data protection policy, please contact our Data Protection Officer (See clause "Your rights").