Information Security Policy
Basic Policy Concerning Information Protection
- Compliance with laws, regulations, internal rules and other stipulations
The Company shall abide by information security-related laws, regulations, internal rules, contractual requirements and other stipulations.
- Management of an information security management system
The Company shall manage an information security management system with clearly designated responsibilities. This shall include the appointment of executive officers in charge, the running of relevant departments and the assignment of information security officers.
- Development and review of rules and other requirements, and enhancement of auditing
The Company shall keep internal rules (e.g., basic policy, regulations, manuals and other types of guidance) to ensure information security, and shall regularly review these rules to reinforce/improve the information security management system. It shall also strive to constantly improve the supervision and auditing of information security management.
- Education, training and awareness raising
The Company shall provide education and training to all board members and other employees of the Company and its affiliates to ensure full recognition for the importance of information security and information assets. It shall also strive to make staff thoroughly aware of the need to comply with related laws, regulations and internal rules (e.g., basic policy and regulations).
Revision of Information Security Policy
Any Information Security Policy revisions will be posted on this website.
(Effective as of June 1, 2008)
GRANVISTA Hotels & Resorts Co., Ltd.
*Confidentiality, integrity and availability of information assets
Confidentiality: privacy requiring efforts to ensure that information assets are not disclosed to or accessed by unauthorized users
Integrity: the accuracy and trustworthiness of information assets
Availability: ready access to information assets in specific ways as needed
The security of this website is recognized with server certification from Cybertrust Japan Co., Ltd. All communication on SSL pages is encrypted to protect privacy.
Basic Policy on the Protection of Personal Information
- Compliance with Laws and Regulations Concerning Personal Information
Personal information shall be handled appropriately, in compliance with laws concerning the protection of personal information, as well as industry standards, etc.
- Acquisition of Personal Information
The Company shall acquire personal information by the following methods when engaged in a transaction relating to the facilities and products of the Company (accommodation, banquet, food and beverage, product sale, the provision or sale of other incidentals, the provision of services, the holding of events, etc.), a transaction with a
business operator partnering with the Company, or other transaction.
It should be noted that with the exception of where the Company has obtained the consent of the customer, where absolutely required for the provision of the Service, or where permitted by law, sensitive information of the customer, such as their race, creed, social status, and medical history, etc. (hereinafter referred to as "Sensitive Personal Information"), shall not be acquired.
- a) Direct acquisition from the individual
By telephone, in writing (includes electromagnetic record), by business card, in conversation, or via the internet, etc.
- b) Acquisition from a party who has been granted legitimate authority by the individual
Applicant for use, agent, travel agent, partner, or business operator that handles package products, etc.
- c) Acquisition from a publication
The internet, a newspaper, telephone directory, book, or other publication, etc.
- Legal Basis for the Use of Personal Information
As a general rule, the legal basis for the use of personal information at the Company shall be the consent of the individual.
The legal basis for the use of personal information in cases where the consent of the individual has not been obtained shall be the need for the performance of a contract with the individual, the need in order to perform procedures prior to the execution of a contract at the request of the individual, the need for legitimate interest sought by the Company or a third party, or the need for compliance with legal obligations that should be followed by the Company. The legitimate interest sought by the Company or a third party includes the increasing of operating income through marketing and service improvements, etc., as well as the improving of the convenience and security of the Company's website.
- Purpose of Use of Personal Information
The Company shall use the acquired personal information within the range of the purpose of use set forth below. In addition, in the event of use beyond the range of the purpose of use, with the exception of where there are legal exceptions, this shall be performed upon obtaining the consent of the individual customer.
- For communications, product orders and payments, settlement, and other matters concerning a transaction relating to the facilities and products of the Company (accommodation, banquet, food and beverage, product sale, the provision or sale of other incidentals, the provision of services, the holding of events, etc.), a transaction with a business operator partnering with the Company, or other transaction
- For the management of member information at member organizations of the Company, as well as the provision of services to members
- For responding to inquiries and requests, etc., made to the Company
- For the issuance or mailing to the individual of information, advertisements, promotional materials, and questionnaires relating to the facilities operated by the Company, as well as the business, etc., of tenants (restaurants, stores, and help desks operated by business operators other than the Company that have opened a store or occupied a store with legitimate authority within premises or buildings owned or operated by the Company, and other business operators, etc.) and partners, by email, postal mail, courier service, telephone, fax, or other means.
- For the improvement and development of services relating to the facilities and products of the Company, tenants, and partners, etc., as well as for ascertainment and analysis within the range that the individual is not identified in usage trend surveys and customer satisfaction surveys, etc.
- In regard to the cookies, IP addresses, browser types, and access dates and times, etc., acquired on the websites of the Company and the facilities operated by the Company, for the provision of appropriate information on the website, the ensuring of security, the maintenance and management of the websites, and for statistical analysis on their usage status
- For the creation, preparation, and storage of guest registers as prescribed by law, etc.
- For use in other business incidental to the purpose of use described above or relating to the general provision of services of the Company
- Scope of Collection of Personal Information
The Company requires the following information for the provision of services to the individual. In regard to the matters stated in the guest registers in particular, the Company is obligated by the law of Japan to create such records and store these for a period of three years. The hotel may be unable to provide accommodation services to a customer if this information is not provided.
- Basic information on the customer, etc.
Address, name, gender, date of birth, nationality, email address, telephone number, fax number, mailing address, etc.
- Additional information on the customer, etc.
Occupation, employer information (company name, address, telephone number, department, position), date of marriage, family information (names, relationships, dates of birth, etc.)
- Payment information
Credit card number, bank account information, invoice mailing address, and other data relating to payment
- Information on services to be used
Facility usage status, product purchase status, etc.
- Content of communications
Content of responses in emails, website forms, faxes, telephone memos, letters, and questionnaires, etc.
- Information collected in relation to the security system
Surveillance cameras, card keys, etc.
- Information that is automatically collected on websites of facilities operated by the Company
Cookies, IP addresses, browser types, access dates and times, etc.
- Matters to be stated in the guest register
Address, name, occupation, nationality, passport and visa information or other identification data relating to ID issued by a government, age, prior lodging, destination, arrival date and time, departure date and time, guest room name, etc.
- Member number for various programs and information relating to this
- Joint Use of Personal Information
The personal information acquired by the Company may be used within the scope of the purpose of use of Paragraph 4. The appropriate management and handling of personal information in such a case shall be secured by the Company's personal information protection manager.
·Data items subject to joint use
Granvillage customer number, member services eligibility, name, date of birth, gender, address, telephone number, fax number, email address, workplace (company name, department, position, address, telephone number, fax number), mailing address, hotel at which the customer holds membership, usage history
·The Company and the Granvista Group
The Granvista Group refers to the facilities that are stated on the corporate site below.
Scope of parties to engage in joint use
·Parties with responsibility for the management of personal information
- Regarding the joint use of personal information with third parties, and the outsourcing of business to third parties
The personal information acquired by the Company shall be used within the scope of the purpose of use of Paragraph 4. Furthermore, even in the case of personal information being jointly used with a third party such as an affiliated company of the Company, or the handling of personal information being outsourced to a third party such as external company, the appropriate management and handling of personal information shall be secured by the Company's personal information protection manager.
- Disclosure and Provision of Personal Information to Third Parties
The Company, with the exception of where any of the following are applicable, shall not disclose personal information of the individual to a third party.
- If the consent of the individual has been obtained
- If disclosure or provision is required by law
- If it is necessary in order to protect the life, body, or property of an individual, and it is difficult to obtain the consent of the individual
- If it is particularly necessary for the improvement of public health or the promotion of the sound development of children, and it is difficult to obtain the consent of the individual
- If it is necessary to cooperate with the performance of business prescribed by a national government organization, a local government organization, or a party contracted by such an organization, and the obtaining of the consent of the individual may cause hindrance to the performance of such business
- Secure Management of Personal Information
The Company shall take the necessary and appropriate safety management measures in order to secure the accuracy and safety of the personal information, to keep it up to date, and in order to prevent loss, tampering, leakage, or unauthorized access, etc., to the personal information. In addition, the Company shall conduct appropriate monitoring on contractors.
- Filing of Complaints to a Regulatory Agency
The individual may file complaints to a regulatory agency, such as the national government, local government, or international organization, etc., concerning the handling of the personal information of the Company, in accordance with the law.
- Transfer of Personal Information to Third Country, Etc.
The Company, for the performance of a contract with the individual, or for the performance of procedures at the request of the individual prior to the execution of a contract, shall transfer personal information acquired outside of Japan to Japan. The Company,
shall handle the personal information of the Individual through the use of the appropriate security and confidentiality measures.
- Presence of Automated Decisions, Such as Profiling
The Company shall not make any decisions based only on the automated handling of personal information,
such as profiling.
- Personal Information Storage Period
The Company shall store personal information for the period required to achieve the purpose of its use, and after the storage period, shall take measures to delete or anonymize the personal information by a safe method, and within a reasonable period of time.
It should be noted in regard to the matters to be stated in the guest register, that the storage period obligated by the law of Japan is three years.
- Customer, Etc., Basic Information
- Customer, Etc., Additional Information
- Payment Information
- Service Usage Information
- Communication Content
- Information collected in relation to the security system
- Information that is automatically collected on the website of the Company and websites of facilities operated by the Company
- Matters to be stated in the guest register Three years from the final transaction
- Other Information
- Personal Information at Link Destinations
The Company shall not bear responsibility for the protection of personal information on websites linked to from the websites
of the Company and the Granvista Group, or on other websites.
- Contact Point for Inquiries Concerning Personal Information
The Company shall manage the personal information of the individual so that it is as accurate and up to date as possible. Requests from the individual for the disclosure of content, revision, or suspension of use, etc., of personal information, as well as inquiries relating to personal information may be directed to the Personal Information Inquiry Help Desk.
Help Desk for requests for the disclosure of personal data held by the Company and the Granvista Group
2-3-4, Uchi-Kanda, Chiyoda-ku, Tokyo, 101-0047
GRANVISTA Hotels & Resorts Co., Ltd. Marketing Department
Personal Information Inquiry Help Desk
Internet safety measures
GRANVISTA makes every effort to ensure information security on its website. SSL (Secure Sockets Layer) encryption is used to protect the transmission of personal information so that customers can make online reservations, inquiries and the like with peace of mind. SSL is a security technology for communication between browsers and web servers, and is based on encryption and authentication. With SSL, even in the event that a third party intercepts a data transmission, the content cannot be read or tampered with. However, due to the nature of the Internet, the use of SSL does not guarantee complete security.
This website is certified with a server certificate from Cybertrust Japan Co., Ltd. All communication on SSL pages is encrypted to protect user privacy.
(August 5, 2019 Amendment)
GRANVISTA Hotels & Resorts Co., Ltd.
Granvista Group Facilities List