Learn More About Your Privacy Rights

At h27 we care about your personal information. It is of the utmost importance for us that all processing of personal data takes place in consideration of the privacy of the individual. This is why we always do our best to ensure that all processing of personal data takes place in accordance with the General Data Protection Regulation (the “GDPR”) and other applicable legislation. This privacy policy (the “Policy”) applies to personal data about guests, customers and suppliers as well as other individuals who may be registered in IT systems (such as booking systems), website, apps, loyalty programs or the equivalent or personal data that is transferred from travel agencies, other booking sites or similar.

Hotel 27 Aps

Address: C/O Sønderby Legal, Amaliegade 12, 1256 København

Physical Address: Løngangstræde 27, 1468 København K

CVR-nr: 41256923

Depending on the situation, we collect information directly from you or from other sources.

From you

When you contact us regarding a reservation or making a hotel reservation, have special requirements regarding your visit or use a social media that we provide, we will collect and process the information that you provide us with. This could include sensitive personal data, such as information about allergies.

From other sources

If someone makes a reservation for you, we process such personal data about you.

Also, sometimes we receive personal data from third parties (including other companies within our group) with whom we do business with or that are suppliers to us.

In addition, if permitted by law, we – or a third party – can under certain circumstances use tracking tools (such as cookies) to collect information about you. More information about the use of cookies on our website can be found in the cookie policy below.

Under certain circumstances we process personal data about you that originates from publicly available sources like social media. This is for example the case when you make a review about our hotel on a website.

In those cases where we process personal data about you that we receive from other sources than yourself, we will provide you with information in accordance with the GDPR, if possible.

Information regarding guests

Type of personal data

contact information (for example your name, e-mail address, telephone number and address),

demographic information (such as age, gender, age and language),

guest stay information (which could include special categories of personal data, such as information about allergies),

a copy of the details of your passport or identity card (which can include your name and address, your place of birth and birthdate and your national identification number, the number of your passport or identity card and your nationality),

payment information (such as credit card number),

business information,

information relating to your (previous) reservations (for example past visits, date of arrival, date of departure),

information (for example feedback about our hotels and services) that you submit to us (e.g. through customer satisfaction surveys).

Legal basis for the processing

The processing of your personal data is based on your consent (in cases we have asked for it and you have accepted it), the performance of a contract to which you are a party, in order to take steps at the request of you to entering into a contract (for example in relation to a reservation), or a legal obligation (for example the legal obligation for accommodation providers to register hotel guests).

We may also process data based on our legitimate interests. We have for example a legitimate interest in scanning your identification documents at check-in in order to facilitate the check-in process and to avoid queues at the reception desks and mistakes in the registration of personal data).We also have a legitimate interest in contacting our guests to ask them about their stay in our hotel. When processing is based on legitimate interest, we shall make a balance between our legitimate interests and your rights and interests.

Purpose

To provide you with the services and products that you have asked for (for example in relation to a reservation), in order to valuate and improve our services and to fulfill our legal obligations (for example to register hotel guests).

Type of personal data

Contact details such as name, e-mail address, and telephone number.

Lawful basis for the processing

We process your personal data based on our legitimate interests. When processing based on legitimate interest, we shall make a balance between our legitimate interests and your rights and interests.

Purpose

We process personal data for the purpose of managing the supplier relationship, for contacts in various questions, billing, and marketing (if applicable) or to communicate in other ways with you and your company.

Type of personal data

The personal data that you submit to us on any social media platform (e.g. name, e-mail address, and telephone number).

Lawful basis for the processing consent (in cases we have asked for that and you have accepted it)

We may also process data based on our legitimate interests. When processing based on legitimate interest, we shall make a balance between our legitimate interests and your rights and interests.

Purpose

To provide you with the services and products that you want, to manage and market our services and products and to communicate with you.

Type of personal data

Name, e-mail address, telephone number and any other personal data that you submit to us via e-mail.

Lawful basis for the processing consent (in cases we have asked for that and you have accepted it)

the performance of a contract to which you are party or in order to take steps at the request of you to entering into a contract, or

our legitimate interests when processing is based on legitimate interest, we shall make a balance between our legitimate interests and your rights and interests.

Purpose

To provide you with the services and products that you want, to manage and market our services and products and to communicate with you.

To our knowledge, we are not in contact or collect personal data from children under 18 without relevant permission from a parent or guardian. If you believe we have inadvertently collected such information, please contact us so we can promptly obtain parental consent or remove the information.

Type of personal data

Name and e-mail address

Legal basis for processing

The hotel has a legitimate interest in sending marketing information to its customers regarding similar products and services (e.g. event invitations, promotions and special offers). If you do not wish to receive our communications you can express your preference at the time we collect your information (e.g. at the form you fill out at check-in). If you are not a guest or a client, we may use your personal data to send you marketing information regarding similar products and services (e.g. event invitations, promotions and special offers) if you have given us your consent to do so.

If you have consented to receive marketing, you may withdraw your consent at any time. In addition, if we process your data for marketing purposes, you have the right to object at any time and you are at any time (see further below regarding your opportunities and rights in relation to this). You can object, for example, by using the unsubscribe links in the relevant communication.

Purpose

We use your personal data to keep you informed about our services, events and promotions.

h27 uses camera surveillance. Camera surveillance is deemed to be particularly sensitive from a privacy perspective and it is of great importance that all camera surveillance take place in accordance with the relevant legislation in effect from time to time.

The camera images are processed on the basis of our legitimate interest to secure and protect our hotel and our guests.

The camera images are processed in accordance with the GDPR and applicable national laws such as the camera legislation. If necessary, the hotel has indicated the camera surveillance by means of a pictogram, it has notified the cameras to the competent authority and it has included information in a specific record.

If you would like more information, please contact us by using the contact details provided below.

In order to provide you with premium service each time you visit our hotel, we may keep a profile about you, which can include information about your previous stays (such as how often you visit our hotel, when you visited our hotel the last time as well as financial information about your past stays).

The processing of your personal data is based on our legitimate interest to provide tailor-made customer service.

Type of personal data

The information you provide us with, such as your name, telephone number, e-mail address, completed education, skills and previous experiences via your CV, photographs, certificates, transcripts and other information which you provide to us from a former or current employer, data which is provided by the persons who you offer as references, any salary demands, notes from interviews, any responses that you have given and test results from proficiency and/or personality tests that you took as part of the recruitment process. In addition, other personal data that you chose to provide in your CV, cover letter, or other documents will be processed. In a number of cases, the hotel also receives data from third parties, such as social networks through which you apply, e.g. LinkedIn, selection and recruitment agencies, which carry out tests in the context of the application, your previous employer, but only if you have given your consent to do so.

h27 may process the following personal data:

regarding reference persons: name, contact details, employer and professional title;

To the extent possible, h27 will avoid processing sensitive personal data about you. In the event sensitive personal data will be processed, consent is obtained from the data subject before such processing begins.

Application - advertised positions

h27 processes your personal data within the scope of the recruitment process in order to, among other things, handle, administer and document the recruitment process. This takes place after a weighing of interests, where h27’s interest in processing your application overrides the applicant’s interest in protecting its privacy.

Spontaneous application

In connection with an open statement of interest/spontaneous application, h27 will process your application for the purpose of seeing which positions fit your profile and whether your profile matches any needs that h27 has. This takes place after a weighing of interests, where h27’s interest in processing your application overrides the applicant’s interest in protecting its privacy.

Tests

h27 may process the responses you provide and test results from proficiency and/or personality tests as a step in the recruitment process in order to have a better and more secure basis for decision making decisions before any hiring of new co-workers. Responses which are given in connection with tests, and test results, are used as a supplementary assessment basis in the recruitment process. The applicant’s participation in proficiency and/or personality tests is voluntary. Any such processing takes place after a weighing of interests, where h27’s interest in processing the responses you have provided in completed proficiency and/or personality tests, as well as test results, overrides the applicant’s interest in protecting its privacy. In exceptional cases, sensitive personal data may be processed and, in such case, h27 will obtain written consent from the applicant before the test begins. Personal data from proficiency and personality tests may become the subject of profiling in order to enable h27 to generate test results and/or personality profiles, if any.

Reference persons

In connection with a recruitment process, h27 may process personal data relating to reference persons. Such processing takes place with the aim of obtaining information about the applicant’s previous work and other information that may be relevant to the recruitment process. The processing takes place after weighing of interests where h27’s interest in processing personal data of the reference persons overrides the reference persons’ interests in protecting their personal privacy

Depending on the circumstances, we may process personal data in, or in relation to, inter alia, the following types of systems:

Property management system, property operation system, staff registration system, productivity system, telephone system, accounting system, clock system, yield management system, revenue center system, communication system, salary system, credit card system, key card system, TV and IT infrastructure (Internet etc.) and video surveillance system.

In order to serve you, we may share your personal and anonymous data with:

Other companies (including companies within the Pandox group), such as vendors, contractors and co-operation companies. Their use of information is limited to these purposes and subject to agreements that require them to keep the information confidential. Our vendors provide assurance that they take reasonable steps to safeguard the data they hold on our behalf, although data security cannot be guaranteed.

Third parties that are data processors that perform services to us (e.g. companies that assist us in marketing activities or IT operations.

Other group companies (e.g. to facilitate reservations).

Lawyers and advisors of Pandox Group.

Relevant authorities. (e.g. in the context of our obligation to register guests).

We may also share personally identifiable information (such as name, address, e-mail address or telephone number) with trusted partners.

Analytics companies may access anonymous data to help us understand how our services are used. They use this data solely on our behalf. They do not share it except in aggregate form; no data is shared as to any individual user.

Potential acquirers of the company: in case (a part of) our business is sold to a third party, your data may be shared with the acquirer.

h27’s suppliers of proficiency and/or personality tests and recruiting firms that assist h27 in the recruitment process.

When collecting input from reference persons, such persons will be informed that you have applied for a position with h27.

Will transfers be made to any third country? As a main rule, we do not transfer any personal data to a third country (i.e. a country outside the EU/EEA).

It is possible that service providers of h27 process your data outside the EEA. In this respect, the hotel is committed to ensuring an adequate and sufficient level of protection for your data (e.g. by concluding the standard contractual clauses of the European Commission - article 46 GDPR) or by any other appropriate safeguards. If you have any questions about the transfer of your personal data outside the EEA or if you want to obtain a copy of the relevant documents, you can send a dated and signed request to the hotel.

We will not save personal data longer than necessary taking into consideration the purpose of the relevant processing. Data may be kept longer in case of complaints or threatened or pending litigation. Our managers shall ensure that any routines applicable to deletion of personal data are complied with. Please note that certain laws require that certain types of information must be saved for specified periods of time (e.g. in certain circumstances we are required to keep data about hotel guests for a period of minimum 7 years after their stay). 

Personal data which is collected during the recruitment process is erased (unless otherwise provided under domestic law) in the following cases:

when it is clear that the applicant will not be offered employment;

if an applicant declines an offer of employment; or

when the recruitment process is concluded.

Application documents that lead to employment are maintained throughout the employment relationship.

In certain cases, h27 may ask for permission to save your application, including results from completed tests, for future recruitment for similar positions. In the event of such enquiry, h27 will obtain written consent from the applicant whose personal data h27 wishes to save.

At h27 we respect your rights.

You have the right of access to your data, to have your personal data corrected, in certain cases to object to the processing and to require the personal data to be erased, to be restricted (a marking that the processing of the personal data should be restricted to a particular purpose), and to be turned over to you on an IT medium (data portability).

Please note, however, that some personal data is necessary in order to be able to fulfill certain duties, such as payment information, and may therefore not be restricted or erased for this purpose.

You also have the right to withdraw your consent where the processing is based on consent. Where this is the case, this will be stated as the legal basis in the relevant sections above.

In order to exercise your rights under the GDPR, you must send your request including a copy of a document that proves your identity to h27 (please see contact details below). We cannot process your request without proof of your identity.

Please see below for a more detailed description of your rights as a data subject but note that exercising your rights may be subject to exceptions or conditions.

A. Right of access

You are entitled to obtain access to your personal data we process and information about what personal data is registered about you in our filing systems, generally free of charge (commonly referred to as extracts from filing systems). If you wish to exercise this right, send us a request as explained below. The extract is normally sent to you within one month, to your email address which is registered in our systems or your National Public Register address. If it will take more than one month, we will inform you of the reasons for the delay. If you believe that any information about you in a filing system is incorrect or misleading, please contact us.

B. Right to correction

As a data subject, you have the right to require that we correct any incorrect personal data about you as a data subject. This also means that you, as a data subject, are entitled to supplement incomplete personal data, among other things by providing a supplemental statement. Such supplementation relates to personal data which is

missing and which is relevant taking into consideration the purpose of the processing of the data.

C. Right to erasure

You are entitled to contact us and request for your personal data to be erased. The personal data must be erased in the following cases:

where the data is no longer necessary for the purposes for which it was collected.

where the processing is based on your consent and you withdraw the consent (and there is no other legal basis for the processing).

where the processing takes place for direct marketing and you, as the data subject, oppose the processing of the data.

where you, as the data subject, oppose processing which takes place following a weighing of interests and there is no legitimate reason which overrides your interest.

where the personal data has been processed unlawfully.

where erasure is required in order to fulfill a legal obligation.

where the personal data relates to children and has been collected in conjunction with the child creating a profile in a social network.

We are entitled to deny erasure in certain cases, among others in order to fulfill a legal obligation.

D. Right to restrict processing

In certain cases, you have the right to require that we restrict the processing of your personal data. A restriction entails that the data is marked so that in the future it may only be processed for certain limited purposes. The right to restriction applies where you believe that the data is incorrect and request a correction. In these cases, you can request a restriction of the processing during the period of time in which we are investigating the accuracy of the data.

E. The right to data portability

You have the right to receive the personal data regarding you, that you yourself have provided us, in a structured, commonly used and machine-readable format and to transfer this data to another controller. This right applies to automated processing where the processing of personal data is based on your consent or on an agreement with you.

F. Right to make objections

You are entitled, at any time whatsoever, to object to our processing of your personal data where it involves personal data which is being processed based on a legitimate interest. In such case, we may no longer process the personal data unless we can demonstrate a compelling legitimate reason for the processing which overrides the interests, rights and freedoms of the data subject, or where the processing takes place in order to establish, exercise or defend against a legal claim.

Where the personal data is processed for direct marketing, you as a data subject are entitled at any time whatsoever to object to the processing of personal data involving you for such marketing, including profiling to the extent this is connected to such direct marketing.

In certain cases we ask for your consent in order to provide you with certain services and process your personal data. Following your consent, we will only process your personal data for the purposes related to such service, product or similar.

In the following cases, inter alia, we may request your consent:

Marketing activities;

In relation to processing of children’s data (where we will obtain consent from a parent);

If we transfer personal data to a third country;

If we process special categories of personal data (such as allergies).

When the processing of your personal data is based on consent, you are entitled to withdraw your consent at any time. This shall not affect the lawfulness of the processing carried out on the basis of your consent before it was withdrawn. If you would like to withdraw your consent, please refer to the same service, website or similar where you consented or contact us using the contact detail below.

You are always entitled to file a complaint with the relevant privacy protection authority or a corresponding supervisory authority

The supervision is exercised by the Danish Data Protection Agency. The Danish Data Protection Agency has the possibility of reviewing the personal data processing which is carried out by us. If we fail to comply with the GDPR or The Data Protection Act, the authority, for example, can issue a warning and/or impose an administrative fine. You can find more information and contact details to the Danish Data Protection Agency here: https://www.datatilsynet.dk.

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk with relevant processing activity (including reasonable steps to secure your personally identifiable information against unauthorized access or disclosure). We encrypt transmission of data on pages where you provide payment information. However, no security or encryption method can be guaranteed to protect information from hackers or human error. Please always use the internet with caution.

You are not obligated to provide us with any information and personal data about you. However, in some cases, we will not be able to provide you with some of our services or products if we are not allowed to process your personal data.

To exercise your rights under the GDPR or if you have any questions or concerns about our privacy policies or our processing of your personal data, please contact us:

C/O Sønderby Legal, Amaliegade 12, 1256 København
Physical Address: Løngangstræde 27, 1468 København K
Hotel Manager: Ola Larsson
+46 721 978 220 /
ol@h-27.dk

This privacy statement last changed on the 30 April 2020.

We may update this policy from time to time. We will always post an updated copy on our relevant websites. Therefore, please check our site for updates.