Chapter 1 Handling of Personal Information

1. Scope of Application
   This chapter applies to all customers who use our services. However, for customers in the European Union (EU) and the European Economic Area (EEA), the provisions of Chapter 2 shall take precedence over this Chapter.
2. Purpose of Use of Personal Information
   We shall not use the personal information of our customers for any purpose other than the following unless such other use is required by law or regulation or such other purpose is presented separately.
   1. Receipt and management of reservations at hotels operated by us (hereinafter referred to as "the Hotels") (including confirmation, change, cancellation, reminder, etc.)
   2. Provision of personal authentication and various services for registered users on our website
   3. Provision of services at our hotels (accommodation, food and beverage, sales of goods, and sales and provision of other incidental goods and services)
   4. Management of information of Toyoko INN Club Card members and provision of services to members
   5. Provision of data that is related to sleeping data for providing service, for the improvement of hotel equipment, facilities and rooms based on this data
   6. Management of information and provision of services to members of the Toyoko INN Club Corporate Members
   7. Payment, settlement, billing, refund, receipt of cancellation fees, receipt of receipts, and other services related to settlement of accounts for the services we provide
   8. Responding to customer opinions, requests, and inquiries
   9. Conducting an accommodation questionnaire on our hotels
   10. Distribution of e-mail newsletters, information about campaigns and notifications
   11. Operation relating to various campaigns conducted by us (accepting applications, contacting the winners, and shipment of presents)
   12. Handling of soft-opening reservations for the Hotels
   13. Prevention of illegal contracts and unauthorised use and non-payment of our services, and to investigate and handle such conducts when it occurs
   14. To investigate and respond to failures, malfunctions and accidents in our systems and networks
   15. To respond to the notices and instructions issued by the laws and regulations and/or administrative authorities
   16. Survey and analysis of usage of our services, and marketing
   17. To communicate and provide information related to transactions with our affiliated business entities, and to other matters
3. Acquisition of Personal Information
   We acquire the following personal information from the customer to the extent necessary for the purpose of use set forth in the preceding paragraph.
   1. Basic information (address, name, gender, date of birth, nationality, passport number, e-mail address, phone number, facsimile number, postal mail address, etc.)
   2. Additional information (occupation, work location information (company name, address, telephone number, department, position, etc.))
   3. Payment information (credit card number, bank account information, invoice address, receipt address, etc.)
   4. Service usage information we provide (accommodation history, facility usage, product purchase status, etc.)
   5. Contact information sent to us (e-mail, website form entry, facsimile, telephone memos, letters, questionnaire answers, etc.)
   6. Information gathered using the security system installed in our hotels (security cameras, etc.)
   7. Information automatically collected on our website (cookies, IP addresses, browser types, access dates and times, etc.)
   8. Matters to be stated in the registration form (address, name, occupation, nationality, passport number, age, previous accommodation, post accommodation, arrival date, departure date, guest room number, etc.)
   9. Matters to be stated in the Toyoko Inn Club Card Application Form (name, gender, telephone number, address, nationality, zip code, face photograph, passport copy (only for persons other than Japanese nationality), etc. Please submit an official document in order to confirm your identity.)
   10. Count of breath and heartbeats, measurement of body movement and pressure on bed while customers are sleeping (only for hotels that offer sleeping data providing service)
   11. Sleep quality data of customers gained by analysis of the above (⑩)
4. Management of Personal Information
   We have established a management system for personal information in accordance with the actual conditions of our business operations, and are committed to keep customers' personal information accurate and up-to-date to the extent necessary for achieving the purpose of use described in Chapter 2. We take necessary and appropriate measures for the safety management of personal information, such as the prevention of leakage, loss or damage of such personal information. In addition, we strive to raise employee awareness by thoroughly conducting in-house education on protection of personal information so that all employees engaged in the work of handling customers’ personal information can properly handle such information.
5. Provision of Personal Information to Third Parties
   We will not disclose or provide your personal information to third parties except in the following cases:
   In addition, in order to jointly use the customer's personal information, the act of providing the customer's personal information between Toyoko Inn Co., Ltd. and affiliated companies shall not fall under the category of disclosure or provision to third parties in this subsection.
   1. With the consent by the data subject himself/herself
   2. Where disclosure or provision is required to the extent permitted by laws and regulations
   3. Where it is necessary for the protection of human life, body or property, and is difficult to obtain consent from the data subject
   4. Where it is necessary for the national and local public entities, etc. to cooperate in the execution of public affairs, and where there is a risk that the execution of such affairs will be hindered by obtaining the consent from the data subject
   5. Disclosure or provision of statistical data (information that cannot identify the data subject’s identity)
   6. In cases of merger, acquisition, transfer of operation, and other reason in connection with the succession of the business
6. Outsourcing of the duties
   Notwithstanding the provisions of the preceding paragraph, we may consign part of business operation to provide customers with products and services to consignee and provide customers’ personal information within the scope necessary for achieving the purpose of us.
7. Transfer of Personal Information to Japan and Overseas
   Pursuant to the provisions in the two preceding paragraphs, we will take necessary and appropriate measures in accordance with the laws and regulations of the transferring countries when providing customer personal information between our Group companies or to the consignee.
8. Anonymised data (applies to ⑩ and ⑪ described in point 3 above)
   We will take appropriate measures to ensure that it is not possible to identify specific individuals or to restore the original personal data. The creation of anonymised data and its provision to third parties will be carried out to the extent permitted by law.
   

   1) Compliance with relevant laws and guidelines
   We will handle anonymised data properly with following the Act on the Protection of Personal Information (APPI), other regulations, “Guidelines on the Act on the Protection of Personal Information” as well as other guidelines.

   2) Process of anonymised data creation
   We will process information of customers in order to create anonymised data in accordance with processing criteria regulated by APPI.

   【main processing examples】

   1. deletion of information that enables us to identify specific individuals
   2. deletion of personal identification code
   3. deletion of codes that may connect information
   4. deletion of unique information
   5. other measures that take account of the nature of the personal information data bases

   3) Personal information used in anonymised data

   1. age (generation), gender, accommodation date
   2. count of breath and heartbeats, measurement of body movement and pressure on bed while customers are sleeping
   3. sleep quality data of customers gained by the analysis (②)

   4) Provision of anonymised data to third parties
   Personal information included in anonymised data and the way of provision are followings:

   1. We provide the anonymised data described in ①② and ③ of subitem 3)
   2. How we provide the data
   • stored in storage devices like DVDs in order to be able to confirm the transfer
   • provision by servers with appropriate access rights management
   • additionally provision will take place in a way that has proper security measures (encryption or passwords settings) to prevent leakage or theft of information

   5) Security management measures
   We will supervise our employees who handle anonymised data to ensure that they comply with security management measures in accordance with internal rules.

   6) Prohibition of identification
   We will not combine anonymised data with other information for the purpose of identification (re-identification) of specific individuals, when using anonymised data created by us.

9. Acquisition and use of logs our website
   
   1. This website uses Google Analytics to collect and analyse access logs.
   2. Google Analytics uses cookies* to collect logs without using information that identify individuals. Access logs collected are managed based on the privacy policy of Google Inc.
      * Cookies are files that are stored on your computer by a website you visit. When using our webpages, information is exchanged between your browser and our servers, which are stored as a usage log. In the cookie on your computer an identifier is stored, with which the usage logs can be assigned. The setting options for cookies vary from browser to browser, so please use the help menu in your browser to change cookie settings.
   3. For more information on the privacy policy of Google Inc. can be found here:
      Terms of Service: https://www.google.com/analytics/terms/de.html
      General Information on Data Protection: https://support.google.com/analytics/answer/6004245
      Data Protection Notice: https://policies.google.com/privacy
   4. This website uses the Google Analytic’s advertising feature to analyse the age, gender and interests of users. They do not collect and store them in a way that implies your identity. The following functions are used:
      · Report of user analysis and interest categories
      If you want to stop Google Analytics on our site, use the cookie functions of your browser or use the Google Analytics Opt-Out ** add-on, depending on your browser’s settings. You can download the add-on at the following link: https://tools.google.com/dlpage/gaoptout
      ** Opt-out means refusing a cookie that clearly assigns information to a specific user. You can therefore prevent Google from creating a profile about you.
10. Requests by data subjects
    1. Notice of the purpose of use of personal information
    2. Disclosure of personal information held by us
    3. Correction, addition or deletion of personal information (If the content of personal information is incorrect)
    4. Suspension or deletion of personal information (If the personal information is handled or was collected in violation of a law)
    5. Suspension of provision of personal information to a third party (If personal information is provided to a third party in violation of a law.
11. Changes in Privacy Policy
    We may change the contents of this Privacy Policy. In such case, the latest content will be promptly posted on our website. In addition, the changed contents shall take effect from the time we post them on our website.
12. Inquiries regarding the protection of personal information
    If you wish to inquire or modify your personal information, or make inquiries regarding the above personal information protection policy, please contact the following and we will respond promptly:

    Contact information	Postal Address: 〒144-0054 1-7-4 Shin-Kamata, Ota-ku, Tokyo General Affairs Department, Toyoko Inn Co., Ltd.
    Phone (Hours from 9:00 to 17:30 on weekdays JST)	Toyoko Inn Co., Ltd. - General Affairs Department, Tel: 03-5703-1045
    Fax	03-5703-9911

Chapter 2 Additional Provisions Applicable to the Handling of Personal Information of EU and EEA Data Subjects

1. Purpose
   This additional chapter describes certain additional information that we are required to provide to data subjects in the European Union (EU) and the European Economic Area (EEA) under the General Data Protection Regulation ((EU) 2016/679 GDPR) established by the European Union (EU). This regulation describes the rights of data subjects and how to handle personal information.
2. Scope of Application
   This Chapter applies to customers living in the European Union (EU) and European Economic Area (EEA) who use the services we provide. For matters not stipulated in this chapter, the provisions of Chapter 1 shall also apply to those residing in the European Economic Area (EEA) or Switzerland. In the event of any conflict between the provisions of this Chapter and Chapter 1, the provisions of this Chapter shall prevail.
3. Purpose of Use, Handling and Legal Basis of Personal Information
   Personal information handled by us, its purpose of use and legal basis are as follows.
   1. Management of Hotel Bookings
      Processing activities:
      Account registration made via official website and account information management, reservation management (including reservation made via official website, agents, and other methods such as telephone or walk-in at the hotel), etc.
      Information to be handled:
      Name, gender, nationality, date of birth, phone number, fax number, E-mail address, credit card information, work address, etc.
      Legal basis: GDPR Art. 6 lit. 1 b, f
   2. Services for registered users and personal authentication on the website
      Processing activities:
      Official website account registration, display My Page, display online Receipt, e-mail magazine distribution, etc.
      Information handled:
      Name, gender, date of birth, nationality, contact number, Email, credit card information, work address, Toyoko Inn Club Card Member number, password, location information, favourite hotels, hotel browsing history, reservation information, past accommodation history, online coupons, number of points, etc.
      Legal basis: GDPR Art. 6 lit. 1 a, b, f
   3. Providing services at hotels
      Processing activities:
      Check-in, filling in the accommodation card, baggage storage, laundry use, etc.
      Information to be handled:
      Name, age, nationality, gender, address, contact number, occupation, work address, passport number, departure date, previous location, next location, passport copy, etc.
      Legal basis: GDPR Art. 6 lit. 1 b, c, f
   4. Management of information and provision of services to Toyoko Inn Club Card Members
      Processing activities:
      pre-membership registration, membership application, member points, etc.
      Information to be handled:
      Name, gender, date of birth, contact number, address, nationality, zip code, head shot, passport copy, etc.
      Legal basis: GDPR Art. 6 lit. 1 a, f
   5. Management of information and provision of services to Toyoko Inn Club Corporate Members
      Processing activities:
      pre-membership registration, membership application, points grant, etc.
      Information to be handled:
      Name, gender, date of birth, contact number, address, nationality, zip code, portrait photo, passport copy, etc.
      Legal basis: GDPR Art. 6 lit. 1 a, f
   6. Payment, settlement, billing, refund, receipt of cancellation fees, receipt issuance, and other services related to payments
      Processing activities:
      online advance payment, various types of settlement/payment such as credit cards, invoice, receipt, accounts receivable processing, etc.
      Information to be handled:
      Name, address, place of work, credit card information, display of receipts, Email address, room types, applicable accommodation plan, etc.
      Legal basis: GDPR Art. 6 lit. 1 b, f
   7. Responding to customer opinions, requests, and inquiries
      Processing activities:
      Responding to customer requests and inquiries etc. by telephone.
      Information to be handled:
      Name, Toyoko Inn Club Card membership number, contact information, accommodation date, hotel name, etc.
      Legal basis: GDPR Art. 6 lit. 1 a, f
   8. Implementation of customer surveys
      Processing activities:
      E-mail Newsletter, customer questionnaires, online accommodation questionnaires, questionnaire postcards, etc.
      Information to be handled:
      Name, gender, age, occupation, SNS-registration status, address, contact number, Email, Toyoko Inn Club Card Member number, work information, reservation number, accommodation date, etc.
      Legal basis: GDPR Art. 6 lit. 1 a, f
   9. Distribution of e-mail magazines, notification of various campaigns and information
      Processing activities:
      Account registration via official website, etc.
      Information to be handled:
      Name, gender, date of birth, nationality, contact number, Email, Toyoko Inn Club Card Member number, etc.
      Legal basis: GDPR Art. 6 lit. 1 a, f
   10. Receiving applications for various campaigns, contacting winners and sending presents
       Main processing activities:
       Recruitment of campaign plans, announcement of prize winners, shipment of prizes, etc.
       Handling information:
       Name, address, contact number, Email, etc.
       Legal basis: GDPR Art. 6 lit. 1 a, f
   11. Soft-Opening reservations
       Processing activities:
       Screening of services, Quality control of reception, reservations, accommodations etc.
       Handling information:
       Name, contact number, fax, work information, introducer name, room number, room type, etc.
       Legal basis: GDPR Art. 6 lit. 1 b, f
   12. Prevention of illegal contracts, unauthorised use and non-payment of our services, and to investigate and handle such conducts when it occurs
       Processing activities:
       Account registration and hotel reservation via official website, etc.
       Handling information:
       Name, gender, date of birth, nationality, contact number, credit card information, Toyoko Inn Club Card Member number, etc.
       Legal basis: GDPR Art. 6 lit. 1 f
   13. To investigate and respond to system and network failures, malfunctions and accidents
       Processing activities:
       Investigation of effects in online reservation system, etc.
       Handling information:
       Name, gender, date of birth, contact number, nationality, credit card information, hotel browsing history, accommodation history, etc.
       Legal basis: GDPR Art. 6 lit. 1 f
   14. Response based on laws and regulations or the notification and guidance of administrative authorities
       Processing activities:
       Filling in the accommodation cards, etc.
       Handling information:
       Name, age, gender, nationality, address, contact number, occupation, work information, passport number, departure date, previous location, next location, passport copy, etc.
       Legal basis: GDPR Art. 6 lit. 1 f
   15. Investigation, analysis, and marketing of usage of the official website
       Processing activities:
       Collecting access logs using Google Analytics, etc.
       Handling information:
       Cookie, IP address, browser type, access date and time, etc.
       Legal basis: GDPR Art. 6 lit. 1 a, f
   16. Communication and provision of information related to transactions with business partners and other transactions
       Main processing activities:
       Settlement of credit cards, outsourcing of gift shipping services, etc.
       Handling information:
       Name, address, credit card information, etc.
       Legal basis: GDPR Art. 6 lit. 1 a, f
4. Transfer of Personal Information to Third Countries
   In order to fulfil the contract with the customer or to carry out the procedure according to the request of the customer prior to the conclusion of the contract, [Hotel / Toyoko Inn] Group may transfer personal information collected outside Japan to Japan or to a third country (including those countries where the adequate level of protection have not been qualified). We shall use appropriate security and confidentiality measures in accordance with this Privacy Policies and laws when transferring customer’s personal information.
5. Retention Periods of Personal Information
   We retain personal information only for the period necessary for achieving its purpose of use, and take measures to delete or anonymise personal information after the period of retention in a safe manner within a reasonable period of time.
6. Requests for the Handling of Personal Information
   We will respond to requests for personal information of customers located in the EU / EEA we own for a reasonable period and to a reasonable extent as follows. When requesting a request, we will confirm your identity in advance.
   1. Right to access personal information
      You have the right to know whether or not your personal information is being processed by us and, if so, to have access to your personal information and related information.
   2. Right to rectify personal information
      You have the right to rectify your personal information in case we have stored incorrect information about you.
   3. Right to delete personal information
      You have the right to demand the deletion of your personal information in certain cases.
   4. Right to restrict the use of personal information
   5. Right to file an objection to the use of personal information
      You have the right to object to the processing of your personal data that we carry out based on legitimate interests claimed by us or third parties.
   6. Right to data portability (transferability)
      You may revoke your consent at any time, with the result that we may no longer process your data for the corresponding purpose. The revocation applies only with effect for the future.
   7. Right to withdraw consent
7. Appeals to Supervisory Authority
   Customers and other data subjects may appeal to supervisory authority, such as the national, regional or international organisations, for the handling of our personal information in accordance with laws and regulations.
   A list of Supervisory Authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en
8. Personal information of children
   If you are a minor, please provide personal information only with the consent of your parents. Information about minor children is not intentionally collected and processed without the permission and consent of the parents.
   We will delete information as soon as possible if we find that we are collecting and processing personally identifiable information about children who have not reached the minimum age. This age may vary by EU member state*. If you discover that younger children have provided us with personal information, please contact the privacy officer listed below.
   * In Germany, this section applies if personal information is provided by persons under the age of 16. In France, this section applies if personal information is provided by persons under the age of 15.
9. Contact Information of the Data Protection Officer
   For inquiries concerning the handling of personal information please contact our external Data Protection Officer:
   Toyoko Inn Data Protection Officer
   ℅ Enobyte GmbH
   Augustenstr. 49, D-80333 Munich Germany
   Email: dpo@enobyte.com

Date of revision: 01.09.2021