2. The Application of this Policy
This Policy applies to employees’ personal information and to the use of that personal information in any form, whether oral, electronic and/or written, of employees from the European Union, United Kingdom and Switzerland or who are employed at Hyatt Locations (as defined below) in those same countries.
This Policy gives effect to Hyatt’s commitment to protect your personal information and has been adopted by all of the separate and distinct legal entities that manage, operate, franchise, own and/or provide services to the locations operating under or in connection with the Hyatt®”, Park Hyatt®, Miraval®, exhale®, Grand Hyatt®, Hyatt Regency®, Andaz®, Hyatt Centric®, The Unbound Collection by Hyatt®, Hyatt Place®, Hyatt House®, Hyatt Ziva, Hyatt Zilara or Hyatt Residence Club® brands around the world, including independently-branded locations affiliated with Hyatt (individually, a “Hyatt Location” and collectively, the “Hyatt Locations”). Those entities include Hyatt Hotels Corporation, its direct and indirect subsidiaries, and all of the separate and distinct legal entities that own the individual Hyatt Locations worldwide. References to “Hyatt”, “we” and “our” throughout this Policy, depending on the context, collectively refer to those separate and distinct legal entities, including the entity with which you have or may have an employment relationship. A list of the Hyatt entities may be found here.
Your personal information will be processed by the entity with which you have or may have an employment relationship for the purposes set out in Section 4 below. Your personal information may be disclosed to the other entities listed above for human resources administration purposes.
While this Policy is intended to describe the broadest range of our personal information processing activities globally, those processing activities may be more limited in some jurisdictions based on the restrictions of their laws. For example, the laws of a particular country may limit the types of personal information we can collect or the manner in which we process that personal information. In those instances, we adjust our internal policies and/or practices to reflect the requirements of local law.
3. The Types of Personal Information We Process
The term “personal information” in this Policy refers to information that identifies or is capable of identifying you as an individual. The types of personal information that we process (which may vary by jurisdiction based on applicable law and the nature of the employee’s position and duties) include:
- name, gender, personal contact details, date of birth, image, ethnicity, marital status, emergency contacts;
- residency and work permit status, military status, nationality and passport information;
- social security or other taxpayer identification number, banking details;
- sick pay, pensions, insurance and other benefits information (including the gender, age, nationality and passport information for any spouse, minor children or other eligible dependants and beneficiaries);
- date of hire, date(s) of promotions(s), work history, technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended;
- height, weight and clothing sizes, photograph, physical limitations and special needs;
- records of work absences, vacation entitlement and requests, salary history and expectations, performance appraisals, letters of appreciation and commendation, selection and development assessments, and disciplinary and grievance procedures (including monitoring compliance with and enforcing Hyatt policies);
- where permitted by law and proportionate in view of the function to be carried out by an employee or prospective employee, the results of credit and criminal background checks, the results of drug and alcohol testing, screening, health certifications, driving licence number, vehicle registration and driving history;
- wellness programs (including any information for a spouse, minor child or other eligible dependants and beneficiaries who choose to participate in the wellness program);
- information required to comply with laws, the requests and directions of law enforcement authorities or court orders (e.g., child support or debt payment information);
- acknowledgements, agreements regarding Hyatt policies, including ethics and/or conflicts of interest policies and computer and other corporate resource usage policies;
- information captured on security systems, including Closed Circuit Television (“CCTV”) and key card entry systems and other security and technology systems, to the extent permitted by applicable law including, in certain jurisdictions, biometric information and facial recognition;
- voicemails, emails, correspondence and other work product and communications created, stored or transmitted by an employee using Hyatt’s computer, network or communications equipment;
- date of resignation or termination, reason for resignation or termination, information relating to administering termination of employment (e.g., references); and
- any other relevant data that could be necessary to comply with Hyatt’s legitimate business interests (as detailed at Section 4 below).
Much of the personal information we process is information that you knowingly provide to us. However, in other instances, we process personal information that we are able to infer about you based on other information you provide to us or during our interactions with you, or personal information about you that we receive from a third party (such as a recruitment agent or background check vendor) using a process that we have told you about.
There may be instances in which the personal information that you provide to us or we collect is considered Sensitive Personal Information under the privacy laws of some countries. Those laws define “Sensitive Personal Information” to mean personal information from which we can determine or infer an individual’s racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union or professional association, physical or mental health or condition, genetic data, biometric information, and information about an individual’s sexual life or sexual orientation. In some very rare instances, financial records may constitute Sensitive Personal Information where you are located. We only process Sensitive Personal Information in your jurisdiction if and to the extent permitted by applicable law.
Unless otherwise stated, all personal information we request from you is obligatory. If you do not provide and/or allow us to process all obligatory personal information as requested, we will not be able to keep complete information about you, thus affecting our ability to accomplish the purposes set out at Section 4 below.
4. How We Use Personal Information
Depending on the respective country and applicable laws, we may collect, use and disclose personal information concerning employees in order to:
- evaluate applications for employment;
- manage all aspects of an employee’s employment relationship, including, but not limited to, payroll, benefits, corporate travel and other reimbursable expenses, development and training, absence monitoring, performance appraisal, disciplinary and grievance processes;
- perform general administrative, analytical and human resource-related processes;
- develop workforce and succession plans;
- maintain sickness records and occupational health programs;
- protect the safety and security of Hyatt guests, staff and property (including controlling and facilitating access to and monitoring activity in secured premises and activity using Hyatt computers, network, communications and other resources);
- investigate and respond to claims against Hyatt, its staff and its guests;
- conduct employee surveys and administer employee recognition programs;
- administer termination of employment and provide and maintain references;
- maintain emergency contact and beneficiary details (which involves Hyatt holding information on those you nominate in this respect); and
- comply with applicable laws (e.g., health and safety laws), including judicial or administrative orders regarding individual employees (e.g., garnishments or child support payments).
There are CCTV cameras and other security tools in operation within and around our Hyatt Locations, which, depending on the respective country and applicable laws, may be used for the following purposes:
- to prevent and detect crime;
- to protect the health and safety of Hyatt guests and staff;
- to manage and protect Hyatt’s property and the property of Hyatt’s staff, guests and other visitors; and
- for quality assurance purposes, to the extent permitted by applicable law.
We may also utilise “Secret Shopper” or “Mystery Guest” programs, to monitor the quality of our customer service.
We may monitor Internet use and communications in accordance with applicable laws and Hyatt’s Acceptable Use Policy and any other policies that may replace, amend or supplement that policy from time to time.
When we process your personal information as a Hyatt employee (or prospective employee), we do so in our legitimate interests as per the purposes set out above, because of legal obligations we are subject to, or because the information is required to fulfil contractual obligations to you in relation to your employment. We may retain certain personal information of employees after their employment ends for any residual aspects of the purposes set out above. We will only retain such personal information for as long as it is necessary and in all cases for no longer than permitted by Hyatt’s Records Management Policy and applicable law. For example, payroll records are generally retained for a period of ten (10) years following the end of the relevant accounting year and compensation records are generally retained for as long as you are an employee plus ten (10) years. Personal information in records may be maintained for longer periods if subject to a legal or tax hold or specific country/region requirement.
5. Disclosures of Your Personal Information
In order to carry out the purposes outlined above, information about you will be disclosed for the purposes set out above to human resources staff, line managers, consultants, advisers and other appropriate persons in our Hyatt Locations.
5.2 Our Agents, Service Providers and Suppliers
Like many businesses, from time to time we outsource the processing of certain functions and/or information to third parties. Please note that when you apply for a position with us online, you may be transferred to a third party site with which Hyatt has contracted to process your personal information on our behalf. When we do outsource the processing of your personal information to third parties or provide your personal information to third-party service providers, we oblige those third parties to protect your personal information in accordance with the terms and conditions of this Policy, with appropriate security measures. A list of the categories of third party agents, service providers and suppliers to which your information may be transferred may be found here.
5.3 Business Transfers
As we continue to develop our business, we may buy or sell hotels and other assets. In such transactions, employee information is generally one of the transferred business assets and we may include your personal information as an asset in any such transfer. Also, in the unlikely event that we, or substantially all of our assets, are acquired, employee information may be one of the transferred assets.
5.4 Legal Requirements
We reserve the right to disclose any personal information we have concerning you if we are compelled to do so by a court of law or lawfully requested to do so by a governmental entity or if we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property in accordance with applicable laws. We also reserve the right to retain personal information collected and to process such personal information to comply with accounting and tax rules and regulations and any specific record retention laws.
6. International Transfers of Personal Information
Like most international businesses, we have centralized certain aspects of our data processing and human resources administration in accordance with applicable laws in order to allow us to better manage our business. That centralization may result in the transfer of personal information from one country to another. For example, some personal information concerning you will be transferred to and processed in the United States if you are employed, or are a candidate for employment: (a) by any Hyatt affiliate located outside of the United States; or (b) as an Executive Committee Member, Department Head or other key employee of any of our entities or affiliated hospitality businesses located outside the United States.
If you are being considered for a position with a Hyatt Location in a different country, some personal information concerning you will be transferred to the country where the job opening is located. Personal information concerning you may also be transferred to managers and/or human resources staff of Hyatt affiliates in other locations in accordance with applicable laws in order for them to be able to contact you with respect to applying for a different position. The jurisdictions to which the information will be transferred may or may not have laws that seek to preserve the privacy of personal information.
However, whenever your personal information is transferred within Hyatt, your personal information will be processed in accordance with Hyatt’s binding corporate rules (see Section 10 below for further details), the terms and conditions of this Policy and applicable laws. A list of the Hyatt Locations to which your personal information may be transferred, and the jurisdictions in which those entities are located, can be found by selecting “All” at: https://www.hyatt.com/explore-hotels.
Additionally, some of the third party suppliers to which we transfer your personal information may be based in different locations, some of which may have lower standards of data protection than in your home country. When we do transfer personal information to third parties, we ensure appropriate safeguards are in place, and oblige those third parties to protect your personal information in accordance with the terms and conditions of this Policy, with appropriate security measures. These third parties broadly fall into two groups: (i) locally-provided suppliers supporting individual Hyatt Locations or groups of Hyatt Locations, who may operate in any of the countries in which Hyatt Locations operate; or (ii) centrally-procured service providers, supporting Hyatt as a whole, who may be located in our major business locations, in particular the United States (where we are headquartered), Switzerland and Hong Kong.
7. Updating or Accessing Your Personal Information
Under data protection laws in Europe, you have various rights in relation to the personal information about you that we process.
With some limited exceptions, you may inquire about the personal information we maintain about you by sending us a written request by letter or email to the addresses set out in Section 10 below. Please be sure to include your full name, current (or last) job title and place of employment with Hyatt and a copy of a document evidencing your identity (such as an ID card or passport) so we can ascertain your identity and the personal information we maintain about you. We may not disclose data that you are not entitled to receive under applicable laws (e.g., data revealing information about another individual).Where you make more than one request in quick succession, we may respond to your subsequent request by referring to our earlier response and only identifying any items that have changed materially.
You may request that we correct, delete and/or stop or restrict processing or using personal information that we hold about you by sending a letter or email to the addresses set out in Section 10 below. If we agree that the information is incorrect, or that the processing should be stopped, we will delete or correct the information. If we do not agree that the information is incorrect, we will tell you that we do not agree and record the fact that you consider that information to be incorrect in the relevant file(s).
You may also seek to exercise your right to data portability by sending a letter or email to the addresses set out in Section 10 below.
Finally, you may in some circumstances have the ability to object to the processing of your personal information on the grounds of your particular situation. You may do so by sending us a written request by letter or email to the addresses set out at Section 10 below. If we agree that you are entitled to so object, we will cease to process your personal information.
8. Protecting Your Personal Information
The personal information we collect from you is stored by us and/or our service providers on databases protected through a combination of physical and electronic access controls, firewall technology and other reasonable security measures. Nevertheless, such security measures cannot prevent all loss, misuses or alteration of personal information and we are not responsible for any damages or liabilities relating to any such incidents to the fullest extent permitted by law. Where required under law, we will notify you of any such loss, misuse or alteration of personal information that may affect you, so that you can take the appropriate actions for the due protection of your rights.
9. Changes to this Policy
Just as our business changes constantly, this Policy may also change. Where the Policy changes, we will take appropriate steps to bring the amendment to your attention. To assist you, this Policy has an effective date set out at the end of this document.
10. Request for Access to Personal Information/Questions or Complaints
If you have any questions about this Policy, about the processing or your personal information as described herein, or any concerns or complaints with regard to the administration of the Policy, or if you would like to submit a request (in the manner described in Section 7 above) to exercise your rights in relation to the personal information that we maintain about you, please contact us by any of the following means:
- for current employees, by contacting your line manager or your human resources manager; and
- for applicants and former employees, by contacting Hyatt’s Chief Privacy Officer at firstname.lastname@example.org.
For complaints, further escalation at the employee’s option can be made to the relevant Hotel General Manager and finally to Hyatt’s Chief Privacy Officer by sending an email to email@example.com.
While this Policy alone does not create contractual rights, Hyatt has ensured compliance with some of its legal obligations in some countries in relation to personal information by creating a set of binding standards and policies (known in some countries as binding corporate rules), approved by a number of national privacy regulators. As a result, depending on your circumstances and location, you may be able to enforce your privacy rights using those standards and policies through that regulator or a court. If you would like to know more about these standards and policies, please contact Hyatt’s Chief Privacy Officer by sending an email to firstname.lastname@example.org.
All requests for access to your personal information must be submitted in writing by letter or email. We may respond to your request by letter, email or any other suitable method.
Effective Date: May 2018
In the event of any inconsistencies between the English version of this Policy, and any version of this Policy in any other language, the English version shall prevail (to the fullest extent permitted under applicable law).