(Applicable to Processing of Personal Data of Data Subjects in EEA)
To run our business, we process information about you (referred to as “Personal Data”), as prospective and current customers, representatives of our prospects, customers and suppliers, and visitors to our websites.
The protection of Personal Data is important to us. We therefore process any Personal Data entrusted to us, as data controller or data processor, in full compliance with applicable law, in particular, GDPR.
1. Types of Personal Data We May Process
2. Collection, Use and Disclosure of Personal Data
(1) Purposes of use of Personal Data
We process your Personal Data to achieve the purposes set forth below.
A) Respond in a suitable fashion to customers’ reservations and inquiries and provide various services in our business, which includes accommodation, dining, weddings and product sales
(for details, please refer to our website at https://www.crosshotel.com).
B) Introduce company information, various products and services of our company and ORIX Group companies (ORIX Corporation and all companies that based in law have consolidated accounts with ORIX Corporation or are accounted for by the equity-method), and other companies through direct mailing, e-mail, by phone, and so forth.
C) Conduct marketing analysis to improve customer satisfaction by seeking to provide better products and services for customers.
D) Perform management activities necessary for our operation.
E) In order for us and other companies of the ORIX Group to perform various required management tasks, including understanding the state of claims and assets and risks.
F) Perform marketing analysis and product and services development in order to provide our customers with better products and services, and greater satisfaction as a result.
G) Introduce and propose the products and services offered by the companies of the ORIX Group (for full details of the work that we do, please see "Introduction to Business and Services" (https://www.orix.co.jp/grp/en/business/)).
We may also obtain personal data from our third party service providers and from public sources and combine that with information we collect from you where we believe that it is necessary to help manage our relationship with you.
(2) Legal Grounds for Processing your Personal Data
We may process your Personal Data based on the following legal grounds:
- To perform your instructions or fulfil the obligations under contracts with you;
- Based upon your consent expressly given to us, to process the Personal Data in such manner. You may withdraw the consent to this processing at any time; however, this will not affect the lawfulness of any processing activity carried out by us before such withdrawal of your consent.
- To comply with legal and regulatory obligations; and
- To further our legitimate interests or those of any third-party recipients of the Personal Data, provided that such interests are not overridden by your interests or fundamental rights and freedoms.
In relation to the processing of your Personal Data, our legitimate interests include:
- To benefit from cost-effective services (e.g. using cloud platforms operated by third party suppliers);
- To offer our products and services to our customers (e.g. by communicating through a newsletter or other marketing materials, in which case we will also comply with applicable rules governing direct marketing);
- To prevent fraud or criminal activity, misuse of our products or services as well as the security of our IT systems, architecture and networks; and
- To meet our corporate and social responsibility objectives.
(3) Additional Processing
In the case of processing your Personal Data for purposes other than the foregoing, we will notify you in advance of such purposes and other matters as required by applicable law.
(4) Necessity of providing Personal Data
The Personal Data that you are to provide is necessary for us to provide our services to you. Therefore, without the Personal Data, there may be cases where we will not be able to provide the services to you, in whole or in part.
(5) Retention Period
We will only retain your Personal Data for as long as such Data is necessary to fulfil the purpose for which it was collected to provide the services to you and for any period thereafter as legally required or permitted by applicable law. We will promptly delete your Personal Data when such Data is no longer needed.
(6) Transfer of Personal Data
A) Within ORIX Group
We may transfer your Personal Data to personnel within our Company and to other ORIX Group companies.. Such other ORIX Group companies will either act as another independent controller or will process your Personal Data on our behalf and upon our request (thereby acting as “data processor”). In all cases, the Personal Data will be processed only for the purposes set out above.
For clarity, such affiliate companies within the ORIX Group may or may not “ORIX” in their company name. For details regarding affiliate companies not including “ORIX” in their names, please refer to the "List of Co-Users". (https://www.orix-realestate.com/en/group.html).
* Affiliate companies are subject to change.
B) Outside ORIX Group
We may also transfer Personal Data to third parties outside our Company and the ORIX Group, including our (IT) systems, cloud service and database providers, hotel management companies, outside contractors and professionals (including accounting firms, tax firms and law firms), to achieve the purposes set out above, to the extent they need it to carry out the instructions we have given to them or the agreements we have entered into with them.
As data processors or joint controllers, the above third parties enter into an agreement with us to process the Personal Data in compliance with applicable law (including GDPR).
Where required, we may also transfer your personal data to:
- Any third party to whom we assign or novate any of our rights or obligations under a relevant agreement; and
- Any national or international governmental or judicial authority, where we are required to do so by applicable law or regulation or at their request, in compliance with applicable law.
C) Outside the EEA
The Personal Data may be transferred to entities in countries or jurisdictions outside the EEA, such as Japan, if required for the purposes described above. Please note that such countries or jurisdictions may not have the same data protection laws as the EEA and that they may not afford many of the rights conferred upon you in the EEA. We will ensure that any such international transfers are made subject to appropriate and suitable safeguards as required by GDPR or other relevant laws. When doing so, we will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of the Personal Data. This may include entry into the relevant EU standard contractual clauses as approved by the EU Commission prior to such transfer to ensure the required level of protection for the transferred Personal Data. You may request additional information in this respect.
3. Your Rights as a Data Subject
Within the limits and under the conditions set forth in the law (including GDPR), you have the following rights:
- To access your Personal Data as processed by us and obtain a copy thereof;
- To request any correction or update thereof;
- To request the erasure of your Personal Data;
- To request the restriction of the processing of your Personal Data;
- To withdraw your consent where we based our processing of your Personal Data on your consent (without such withdrawal affecting the lawfulness of processing prior thereto);
- To object to the processing of your Personal Data;
- To request the portability of your Personal Data (i.e. to obtain the Personal Data you have provided to us in a structured, commonly used and machine-readable format and/or to request the transmission of such Personal Data to a third party, without hindrance from us and subject to your own confidentiality obligations).
When we receive a request based on the rights specified above, we will conduct any necessary investigation without undue delay and provide you or a nominated third party with the Personal Data or respond to such rights without undue delay.
Please note that you may raise an objection to the competent data protection authorities having jurisdiction over us or in the location of your usual residence or place of work with regard to the processing of your Personal Data or of an alleged infringement of GDPR.
4. A minor’s consent
[The name of the company] CROSS HOTELS CORPORATION
[Address] Nippon Life Hamamatsucho Crea Tower.14th Floor, 2-3-1, Hamamatsu-cho, Minato-ku, Tokyo
[Phone number] +81-3-6414-7259
The contact information for our representative is as follows:
[Representative’s Name] ORIX Corporation Europe N.V.
Attn. Secretariat/Privacy matters
[Address] Weena 850, 3014 DA Rotterdam, The Netherlands
[Email Address] privacy @orixnv.com
Effective date: 18/12/2018
CROSS HOTELS CORPORATION /CEO：Takaaki Nitanai
How do we share your personal information with third parties?
- BookingSuite: Your personal data may be shared with BookingSuite B.V. located at Herengracht 597, 1017 CE Amsterdam, the Netherlands, the company which operates this website and the website suite.booking.com.