Personal data policy on the processing of guest, customer and supplier data

Bella Operation A/S, which comprises the following companies:
Bellagroup , CBR no. 37 93 98 38, and
Crowne Plaza Copenhagen Towers , CBR no. 30 54 80 43, and the hotels Copenhagen Marriott and AC Bella Sky Copenhagen By Marriott.

1. Data controller
Bella Operation A/S is the data controller.
Bella Operation A/S / Bellagroup’s contact data:
INFO@BCHG.dk, Center Boulevard 5, 2300 Copenhagen S, Denmark, Att. Marketing & Communication

Bellagroup handles all personal data in accordance with applicable personal data law. Bellagroup concludes agreements with guests, customers and suppliers on the delivery – purchase and sale – of various services and products.

When a guest/customer orders and purchases one or more of Bellagroup ’s services, and, in connection with this purchase, provides their personal data to Bellagroup , the guest/customer/supplier also consents to the processing of their personal data by Bellagroup .
This same applies with regard to any personal data provided to Bellagroup by suppliers to Bellagroup in connection with the submission of offers or conclusion of agreements with Bellagroup .

2. Bellagroup ’s collection of personal data
Personal data is collected by Bellagroup as follows:

• When a guest/customer – or a representative of theirs – chooses to obtain an offer and/or purchase services/products offered by Bellagroup , or when suppliers provide offers or sell products or services to Bellagroup .
• From the B2B market.
• Through browser cookies and web beacons.
• In connection with the use of Bellagroup ’s digital services.
• Through participation in Bellagroup ’s customer/loyalty programmes and through subscription to Bellagroup ’s newsletter.
• From social media, advertising and analysis providers, and public records.
• Via video and television surveillance.
• When suppliers conclude agreements with Bellagroup or provide offers to Bellagroup .
The collection and processing of personal data, cf. the above, will always be performed in accordance with applicable personal data legislation.

Video surveillance installed at our entrances/exits, at cash registers and around particularly valuable equipment is part of criminal prevention activities and also serves to improve employees’ and guests’ sense of security.

3. Data collected by Bellagroup
Bellagroup collects the following personal data:

• Name, address, telephone number, e-mail address, date of birth and other common non-sensitive personal data.
• Payment card data – typically as a guarantee for a reservation and for payment for stays.
• Demographic data.
• Picture ID for access card
• Purchase history, including the use of Bellagroup apps and/or other digital services.
• The use of Bellagroup ’s customer/loyalty programmes.
• Data from Bellagroup ’s customer surveys.
• Data from competitions conducted by Bellagroup .
• Data from Bellagroup ’s social media and other digital platforms belonging to Bellagroup .
• Browser data.
• Data about the guest’s/customer’s company and relevant contact persons.
• Data about suppliers’ companies and data about relevant and key contact persons, including key accounts.
A guest/customer/supplier can voluntarily and at their option provide Bellagroup with additional personal data that they deem of importance for Bellagroup ’s servicing of them, or which they believe should be provided for safety/security reasons.

Examples of such data include:

• Disabilities
• Allergies
• Special food preferences
• Other health or medical data
If a guest/customer/supplier voluntarily and at their option chooses to provide such data, Bellagroup perceives this as consent to register and store this sensitive data regarding them.

In addition to the data that Bellagroup receives directly from guests/customers/suppliers, Bellagroup will in some cases collect or process additional data received by Bellagroup from third parties, e.g. a travel agency, another intermediary or an employee of the company at which the data subject is employed.

In such cases, the applicable third party is obliged to inform the applicable guests/customers/suppliers of Bellagroup ’s terms and conditions, and Bellagroup ’s personal data policy. It is also the applicable third party’s responsibility to ensure the required legal basis for the collection and processing of the applicable data, including collection of required consent for the processing of any sensitive data.

4. Payment with payment cards
Bellagroup uses DIBS www.dibs.dk (Nets), and 3Payments for redemption of payments with payment and credit cards. DIBS, 3Payments and Bellagroup are all approved and certified by Pengeinstitutternes Betalingssystem (www.pbs.dk).

In connection with orders and bookings, Bellagroup stores the data provided by the guest/customer/supplier for a period of up to two years, after which the data is deleted.

Besides processing of the order, the data provided will only be used if, for example, a guest/customer/supplier contacts Bellagroup with a question, or if there are errors in the order.

5. What is the purpose of the collection and processing?
Bellagroup solely collects personal data necessary to fulfil the agreements concluded with guests/customers/suppliers on the delivery of services, e.g. an overnight stay or purchase/sale of products or services. The content of the individual agreement or the nature of the service determines which personal data is collected and processed by Bellagroup , as well as the purpose of the collection.

The purpose of collection and processing of personal data will primarily be:
• Processing of guest/customer booking and purchase of Bellagroup services.
• Identification, access and security to Bellagroup
• Processing of suppliers’ offers and the sale of products and services.
• Contact with the guest/customer before, during and after their stay.
• Fulfilment of the guest’s/customer’s request for an offer or purchase of services.
• Improvement and development of Bellagroup ’s services.
• Adjustment of Bellagroup ’s marketing and other communication.
• Analysis of guest/customer/supplier user behaviour and marketing to these groups.
• Adjustment of Bellagroup ’s partners’ communication and marketing to guests/customers/suppliers.
• Administration of guest/customer/supplier relations with Bellagroup , including participation in Bellagroup ’s customer/loyalty programme.
• Compliance with legal requirements, e.g. requirements to register overnight guests under the Danish Aliens Act and the Executive Order on Passports.

6. Legal basis for the processing
Bellagroup will typically process personal data because it is necessary to fulfil an agreement between Bellagroup and a guest/customer/supplier. For example, this may involve hotel stays, meetings and/or administration and fulfilment of cooperation and supplier agreements.

Furthermore, Bellagroup will process personal data in connection with booking prior to an overnight stay, meeting, event, conference, etc, and prior to the conclusion of supplier agreements.
In some cases, Bellagroup ’s processing of personal data will occur in connection with Bellagroup pursuing a legitimate/objective interest that precedes the interests of the guest/customer/supplier (the data subject).

A legitimate interest may, for example, be the preparation of statistics, customer surveys, marketing and analysis of general guest/customer behaviour for the purpose of generally improving the guest/customer experience with Bellagroup and the quality of Bellagroup ’s services and products.

If, in connection with a stay/visit at Bellagroup , a guest/customer provides data about special personal preferences or considerations, e.g. health data, disability, religious belief or the like, Bellagroup only uses this data to ensure consideration of the guest’s/customer’s personal preferences, health, etc.

In some cases, Bellagroup receives personal data from a third party, e.g. a travel agency, an agent or the like, including in connection with group bookings. In such cases, the applicable third party is required to inform the applicable guests/customers/suppliers of Bellagroup ’s terms and conditions, and the contents of this personal data policy.

Furthermore, Bellagroup is required by law, cf. section 5 above, to register a range of data about overnight guests. This data must be stored for at least one year and not more than two years.

7. The data subject’s rights
Under the rules of the Personal Data Regulation, the data subjects (customers/guests/suppliers) have various rights.
• A data subject is entitled at all times to access the personal data processed by Bellagroup regarding the data subject.
• A data subject is entitled at all times to demand the correction and updating of personal data possessed by Bellagroup regarding the data subject.
• A data subject is entitled at all times to demand the deletion of personal data possessed by Bellagroup regarding the data subject. If a data subject requests deletion, all of the data that Bellagroup is not required by law to store will be deleted. In some cases, the deletion of the data subject’s data may mean that Bellagroup cannot fulfil concluded agreements or deliver certain services to the data subject.
If some of the data possessed by Bellagroup regarding the data subject is provided on the basis of the data subject’s consent, the data subject is at all times entitled to withdraw this consent, whereby the data will be deleted or no longer be used by Bellagroup . This does not apply to data which Bellagroup is required by law to store, cf. the section above.

However, the option of withdrawing consent, requesting deletion, etc may be limited as regards the protection of the privacy of others, trade secrets and intellectual property rights, and, for example, for the purpose of asserting potential legal claims.

The data subject may at all times request in writing that Bellagroup provide an overview and a copy of the personal data possessed by Bellagroup regarding the data subject.
A written request to this effect must be signed by the data subject and include the data subject’s name, address, telephone number and e-mail address. If the request is regarding a received email or the like, a copy of the mail and info about sender, subject and time should be enclosed. 

The data subject may also contact Bellagroup if the data subject believes that their personal data is being processed in violation of the law or in violation of other legal obligations, e.g. this agreement/contract between the data subject and Bellagroup .
This written request must be sent to Bellagroup , see contact data in section 1 above.
After receipt of the data subject’s written request, Bellagroup will, as far as possible, send this data to the data subject’s mail address within one month.

If the data subject requests correction and/or deletion of their personal data, Bellagroup will assess whether the conditions for the request are met, and, if so, Bellagroup will perform changes or deletion as quickly as possible.

Bellagroup reserves the right to reject requests which are of a harassing repetitive nature, which require disproportionate technical measures (e.g. the development of a new IT system), which impact the protection of other data subjects’ personal data, or in other situations where it would be disproportionately resource-demanding or highly complicated to accommodate the request.

If you wish to request your personal data, please fill out the form below:

Download the personal data form

Security and sharing of personal data
Bellagroup protects the data subject’s personal data and has established guidelines protecting the data subject’s personal data from unauthorised disclosure and preventing unauthorised parties from gaining access to, or knowledge of, this data.

Only the persons/employees at Bellagroup who require the data subject’s personal data in connection with their job function have access to this data. Bellagroup performs continuous monitoring to prevent any unauthorised accessing of the data subjects’ personal data.

Bellagroup performs continuous backup of the registered personal data. In the event of a security breach where there is a high risk of abuse of the data subjects’ personal data, including, for example, identity theft, financial loss, damage to reputation or other forms of misuse, Bellagroup will notify the data subjects of the security breach as quickly as possible.
Bellagroup ’s security procedures are continuously reviewed and updated in relation to technological developments.

Bellagroup utilises a number of external suppliers of IT services, IT systems, payment solutions, etc. Bellagroup regularly concludes data processor agreements with all of Bellagroup ’s suppliers, ensuring that external data processors maintain a required and high level of protection of the data subjects’ personal data.

To fulfil agreements with the data subjects and to accommodate the needs of guests and customers, Bellagroup shares selected personal data with external suppliers, such as restaurants, hotels, etc. This is done either in connection with overbooking at the hotels, or, for example, the guest’s request for booking at a restaurant.

Bellagroup also shares and transfers the data subjects’ personal data internally in the Group, including to affiliated companies. The purpose of this sharing is to give the guest/customer the best possible service, regardless of the hotel or division of Bellagroup with which the guest/customer is in contact.

In some cases, Bellagroup is required by law or by the order of a public authority to transfer personal data.

Bellagroup deletes your personal data when Bellagroup ’s legal obligation ceases, or when the purpose of collecting and processing the data is no longer present. As a general rule, financial data is stored for five years, and other data for two years after the last visit.

10. Cookies
Bellagroup uses cookies. A cookie is a small text file which the browser stores on your computer. It is not a program and cannot contain a virus.

We use cookies for:
Personal settings and website functionality: For instance in a contact form. The next time you complete the form, the cookie will make it easier for you, e.g. by suggesting your name, address or e-mail address when you start typing. We cannot see this cookie.

Simple statistics: So we can improve the website. These cookies tell us which pages have been visited most, whether your computer has visited us before (based on the IP address), your browser and screen resolution, etc.
Targeted marketing: To display ads based on your behaviour on our and other websites. In some cases where you are logged in with your email address, your behaviour across Bellagroup’s websites may be tracked.

When clicking on functions that navigate to other websites (e.g. social media), Bellagroup is not responsible for, and cannot control, which cookies are used.
In your browser you can delete cookies, block cookies, or set the browser to request your permission to accept cookies. See how to do this in various browsers at http://minecookies.org/

11. Complaints
Complaints regarding Bella Operation A/S / Bellagroup ’s processing of personal data can be directed to the Danish Data Protection Agency, Carl Jacobsens Vej 35, 2500 Valby, DENMARK, TELEPHONE (+45) 3319 3200 - E-MAIL dt@datatilsynet.dk

12. Updates
Changes and adjustments to this policy will be added on a continuous basis.