Best Rate Guarantee

Modify or cancel reservation

Privacy Policy

Information and Privacy Policy about General Data Protection Regulation (GDPR) for Guests, Employees and Vendors.

Introduction/Purpose- This Privacy Policy provides information about:

_ what GDPR is;
_ what is included and covered by the GDPR;

_ how GDPR affects Ocean View Hotel and our Guests/Vendors when Personal Data is accessed/processed;

_ what to do and how to respond to Requests under GDPR; _ frequently asked questions related to GDPR;

This document is to supply information to Ocean Promenade, Inc., dba and hereinafter “Ocean View Hotel” or “Hotel” Guests, Employees and Vendors about the processing of Personal Data by Ocean View Hotel to provide transparency and accountability as required under the general Data Protection Regulation (“GDPR”). A separate document has also been drafted for Ocean View Guests, Employees and Vendors as services are used by opting to stay with us for their leisure or business purpose.

It is hoped that this document will address questions that Ocean View Hotel Guests, Employees and Vendors may have when considering the GDPR and the obligations of Ocean View Hotel as a service provider and data processor under this Regulation. This document will provide information about how Ocean View Hotel operates as applicable under this Regulation and explain the roles of Ocean View Hotel Guests, Employees and Vendors with respect to the services provided to and by the Hotel.

This document can be used as a point of reference for Hotel Guests, Employees and Vendors and for Internal Departments as a source of information to respond to inquiries from Guests.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) is effective May 25, 2018.

The GDPR represents an overhaul of existing European Union (“EU”) data protection laws, building on existing privacy principles and applies to organizations which sell goods and services to EU citizens, and covers how personal information is to be processed, used, stored and exchanged when EU personal information is exchanged. It serves to provide certain protections to EU citizens over their personal data/information, how they are stored, used and processed.

The GDPR applies to all types of Personal Data that the Hotel may process related to covered EU citizens. For services supplied to but not limited to, Guests, Vendors, Sales Groups and Clients and B2B, this would include processing of Guest Personal Data and to a limited extent Personal Data of employees (from EU if any) of the Hotel – e.g. information that the Hotel may collect about a Guest’s name, Email Address, Date of Birth, Religion, ID, Passport, Nationality, Website Location, IP Address, Website Cookies. Any personally identifiable information will be considered covered “Personal Data” for GDPR purposes.

Ocean View Hotel has put in place a practice to address the requirements that GDPR imposes on the Hotel, both as a Data Controller (the entity that determines the purposes and means of processing of Personal Data) and as a Data Processor (where the Hotel is processing Personal Data), and as a business that collect information from covered EU citizens.

Ocean View Hotels’ GDPR Program
Inquiries about privacy matters and appointment of a Data Privacy Officer (“DPO”)

GDPR requires the appointment of a Data Protection Officer or “DPO.” Ocean View Hotel’s Director of IT, in his or her business capacity, will serve as the primary and official DPO regarding all GDPR requests and processes for the hotel operations.

The DPO’s contact information as of the date of this policy is as follows:
Luong Cun, Director of IT, for Shore Hotel, Ocean View Hotel and Santa Monica Motel-

Email: luongcun@shorehotel.com; business phone: (310) 656-8495.

Ocean View Hotel has an internal business practice in place to address privacy matters. Ocean View

Hotel has initiated a formal GDPR program to oversee and coordinate GDPR related covered data- related activities across all functions and business units, including where Ocean View Hotel acts as a Data Controller and Processor.

If Ocean View Hotel acts as Data Processor, we will provide the following information to customers about the processing of personal data for the purposes of transparency. This information is intended to assist Ocean View Hotel Guests, Employees, Vendors, Sales Groups and Clients in understanding how the hotel processes personal data and enable the hotel to demonstrate its compliance with obligations it may have under the GDPR. This information will include the following:

1. Information about how the hotel’s service units process Guest Personal Data;
2. Registering/Storing of personal data on systems;
3. Description about how the hotel services comply with GDPR privacy principles; and 4. General data security measures that are in place;

Under GDPR, Ocean View Hotel is positioned as a Data Controller of Guest Personal Data with our Guests and acts as Data Processor upon the instructions of our Guests for inquires or concierge-type services such as taking and making reservations for external Spas, Dinner, Tours, Taxi or Limo services, and for purchasing tickets to events. The GDPR does not require a separate data processing agreement to be entered into between the parties. The requirement under GDPR is that processing will be governed by contract and the contract will set out the following:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject;

  • Obligations and rights of the Data Controller. Contractual Amendments to services agreements 


For any further clarifications or amendments that may be required to services agreements to cover the GDPR requirements, please contact our designated Data Privacy Officer (“DPO”). Considering most of the businesses the Hotel works with and the services provided by the Hotel, Ocean View Hotel’s department leaders should reach out to their Account Representatives to obtain addendums as needed to comply with the GDPR. Additionally, any potential contracts to be signed into; shall be reviewed by all parties including their respective DPO and the company’s legal counsel prior to signing any legal agreements to ensure GDPR is clearly complied with in such contract(s).

In order for the Hotel, Guests and Vendors to properly comply with the specific requirements under the GDPR, Ocean View Hotel will offer standard processing clauses that meet the requirements of Article 28 of the GDPR.

Written Instructions of Ocean View Hotel’s Guest

The instructions of the Data Controller are as set out in the products/services agreement and/or provided by the Data Controller through the activation or configuration of a service. Additional instructions from Ocean View Hotel are usually raised through a change request or other contractually agreed process, insofar as adjustments are required to functionality or system architecture in order to meet the Guest or Vendor specific requirements. As well, Registration Cards and Confirmations Letters will summarize GDPR.

Product and Service Transparency – Detailed Service Description

To assist our Guests, Employees and Vendors in meeting all obligations under GDPR, Ocean View Hotel has prepared detailed information to describe the processing of Personal Data through information which will contain an overview of Ocean View Hotel services and products to assist them to demonstrate compliance with obligations under the GDPR or other data protection legislation.

The Products and Services Transparency Reports will be prepared for the following Ocean View Hotel Products and Services:

PRODUCTS & SERVICES:

• Delphi – A cloud-based sales and catering solution to make reservation and scheduling arrangements to use our meeting spaces.

 Oracle Opera PMS– An on-premise based solution that enables employees to Check-In and Check-Out guests as they stay in our guest rooms.

 Oracle Micros POS– An on-premise based solution that enables employees to take food and beverage orders and process payment from guests regarding Food & Beverages purchases.

 Zingle- A cloud-based solution for Guests Services to communicate with guests regarding their needs during their stay with the hotel.

 Office 365– A cloud-based solution that enables employees to communicate with guests and vendors regarding products and services.

 Expedia, Booking.com, Hotel Tonight, Priceline, Agoda, C Trip, Hotwire, Excite, Travelocity, Groupon, Travel Zoo– Are external Vendor based of companies that take and make reservations on behalf of Guests to book stays at the Hotel.

 Sabre/Synxis– A cloud-based call center solution for Guests or potential guests to make reservations or booking of room(s).

 IDeaS– A cloud-based solution that enables employees to use for forecasting rates and rooms availabilities.

 Merchant Link/Shift 4– A cloud based external credit card processing solution that enables the hotel to process credit cards of Guests securely between the Hotel’s property management system and the guest’s banking system.

 Clarabridge– A cloud-based solution for employees to use to review surveys taken by guests so that the hotel can improve upon its products and services.

 Starline Tours, B&W Limousine Services, tickets, flowers, babysitting, restaurant reservations, reservations for other hotels, for cruises, and for excursions to other locations such as to Catalina Island and to Universal Studios– Are vendor-based companies used by the concierge team to make and book reservations on behalf of guests.

 Chargerback– A web-based external solution that enables employees and Guests to use to retrieve lost and found items that they may have left behind during/after their stay.

 FedEx, UPS, USPS– A solution that enables employees to ship lost and found items back to the Guests after payment is made from the Guest through Chargerback.

 Ceridian– A cloud-based solution that enables employees to review Resumes or CVs from any individual looking to seek employment at the Hotel.

 MS-Shift– A cloud-based external solution that enables employees to review, store info regarding incident reports, property damage and other general liability reporting.

 Shore Hotel - Shorely Sands Stuffed Starfish Animal – Stuffed animal in guest room which guests are able to purchase. EU Guests who opt to purchase and may provide personal information when paying for the product through their room charge or with credit cards.

 Hotel Towels- Hotel Towels (not Pool Towels). EU Guests who opt to purchase and pay for the product through their room charge or with cash.

 Doorma Kaba/VingCard- In-Room key card access. No guest information is in the cards. Only date, duration of access and room number are programmed into the cards.

 HotSOS Housekeeping, formerly REX - HotSOS Housekeeping is a cloud-based solution that automates housekeeping daily operation.

 HotSOS Mild – A Lite version of HotSOS. For staff to use a lite version ticketing system to assist and respond to guests needs and preferences.

 HotSOS - A cloud-based, service optimization enterprise solution. For staff to use as a full version ticketing system to assist and respond to guests needs and preferences.

 Assured ID/TTI Services- Device used to check for potential fraud of IDs cards or passports.

 Verifone/Ingencio- Device used to process all types of credit cards upon check-in/check-out

 AAA Parking- An external solution vendor for parking valet services.

 Amano McGann- An external solution vendor that AAA Parking vendor use to handle processing of Entry and Exiting of vehicles including payment for public or guest parking services.

 Concierge- An internal service the hotel offers in scheduling and arrangements for guests regarding event ticket reservations and purchases, booking of restaurants or dinner, tours, rentals, spa- manicure/pedicure, flower purchases and other external services on behalf of a guest.

 Mitel/Oaisys/EOS/CNS/CallAccounting- External vendors that employees use to record calls for quality and training purposes. Calls in guest rooms are not recorded. Customers who call into the hotel’s main phone number can expect to be recorded as well as internal extensions and employee lines. The Hotel reserves the right to record calls for quality and training purposes.

 Wanaport- An external vendor solution providing support services to on-premise WiFi Support for all guests and guest rooms. The Internet splash page ask for guest name and room number in order to use such service. Terms of use is located and available on the splash page. Guest user must acknowledge terms of use on the splash page in order to proceed to use the internet.

 Business Center- A location and service for Guests to access the internet to check email, make reservations or tours, research, print flight details or other means as they wish. Terms of use is located at the business center; including notification for a guest to Shutdown or Reboot the business center computer to wipe all data upon use and after use of the business center computers.

Each of the Product Transparency Items will contain the following information:

• Description of the purpose of the processing of Guest Personal Data by the Hotel

• Data Mapping/Flows to illustrate where and how Guest Personal Data is processed, accessed, stored, maintained, and data is transferred to vendors and/or other third parties;

• Description of how the Hotel enables compliance with relevant privacy principles including: o Data maintenance, storage, retention and deletion capabilities

o Security Measures (including relevant certifications) to provide adequate protection to Guest Personal Data

o Purpose limitation, data minimization and accuracy

EU Citizen’s Rights- Data Subject Rights:

A common request from guests or vendors is to understand how products or services can be used to address Data Subjects Rights. Ocean View Hotel as the Data Controller will be responsible for addressing the rights of Data Subjects. Ocean View Hotel and its employees will provide assistance to address the rights of data Subjects, either by explaining the functionality of the services, providing self-service tools or providing assistance to address Data Subjects rights. Data Subjects is another word to describe an identifiable EU citizen/person who has provided identifiable personal data.

Right to Information  an individual must be provided with certain information where Personal Data is collected from the individual or where Personal Data is not collected from the individual, the information must be provided within a reasonable period of obtaining the Personal Data.

The Data Controller will need to provide this information to the individual when the information is collected or ensure that if others are collecting the information on behalf of the Data Controller provide the relevant information to the individual through the use of privacy notice or other means of communicating the information such as informing the individual during the check-in and check-out process with reg cards and/or confirmation letters.

Right to Object  An individual has a right to object to processing of Personal Data if it is based on Exhibit A Section (e) or (f); namely (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or (f) processing is necessary for the purposes of legitimate interests purposed by the controller;

Whether the Right to Object exists for a Data Subject will depend on the grounds for the processing of the Personal Data. Where the processing of Personal Data is required for the performance of a contract to which the individual is subject the individual would not have a right to object to the processing. E.g. if personal data is being processed to provide make a booking of a guest or meeting room or banquet space such as for weddings, to perform the contract and make the booking the personal data is required. It can also be retained by the Data Controller as long as required to protect the Data Controllers interests, e.g. to cover a limitation period for claims. Where the Legal grounds for processing is by contract or a legitimate business interest – the Data Subject may have a ground to object. Ocean View Hotel and its B2B can comply with this right through the use of the relevant services, namely by deleting the relevant personal data.

Right to Access - A Data Subject shall have a right to obtain from the Data Controller confirmation of how the Personal Data is being processed concerning him/her and where this is the case access to the following information, and other ways the personal data is used:

• Purpose of the processing;
• Categories or sequences of Personal Data processed;
• Recipients or categories of recipients;
• Retention period of Personal Data;
• Information about exercising of rights under Data Protection legislation;

Ocean View Hotel and its employees will be able to use the services to provide a Data Subject with access to the requested information under a “Right to Access” request.

Right to Rectification - A Data Subject has a right to rectify any inaccurate Personal Data.
Personal Data can be rectified through use of the services or through direct request to Ocean View Hotel employees to make corrections as needed.

Right to Data Portability - The right to data portability is where the processing has been based on the Legal Ground of Consent or Performance of a Contract Exhibit A Section (a) and (b).
Ocean View Hotel can provide a service to supply information in a structured, machine-readable format to an individual resident of the EU if requested.

Right to Erasure/Deletion of Personal Information - Data Subject shall be able to request and obtain erasure of Personal Data from Data Controller in particular circumstances, including:

• Personal Data no longer required for the services • Automated decision making;
• Unlawful processing;
 Or when other lawful requests are made;

Right to Restrict Processing

Ocean View Hotel will be transparent with any citizens of the EU countries regarding all aspects of use related to their Personal Data. As such, Ocean View Hotel treats ALL Employees, Vendors and Guest Data; no matter EU or not; including Personal Data, strictly confidential and handled with care structurally based on operational standards until the business transaction has concluded, e.g. from the time a guest makes a reservation, to be on premise for check-in and off-premise after check-out has concluded. The Right to Restrict Processing is limited considering it is the duty of all parties from the Data Controller, to Data Processor, to Guest to complete a business transaction.

Exhibit A-
Standard Processing Clauses- Under GDPR

Where Ocean View Hotel processes Personal Data (as defined under GDPR) for the purposes of the services provided under this Agreement, Ocean View Hotel is Processing Personal Data as a Data Controller or Data Processor through guests or concierge and stay services on behalf of a Guest under the GDPR.

Where Ocean View Hotel processes Personal Data on behalf of the Guest as a Data Processor for the purposes of providing the services only, Ocean View Hotel shall:

(a) only process Personal Data in accordance with the instructions of the Hotel, these instructions will be as set out in the description of the services, except to the extent that any legal requirement prevents the Hotel from complying with such instructions or requires the Processing of Personal Data other than as instructed by the Guest.

(b) ensure that any personnel authorized by Ocean View Hotel to access the Personal Data are subject to a duty of confidentiality with respect to any Personal Data;

(c) ensure that any Personal Data is subject to appropriate technical and organizational measures against unauthorized or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data in accordance with any Data Protection Legislation applicable to Ocean View Hotel;

(d) inform Guest, Vendors or Employees of the sub-processors used in the Processing of Personal Data and any changes to the sub-processors used in the Processing of Personal Data in the services. Ocean View Hotel has general authorization from Guests, Vendors and Employees to engage sub- processors in the Processing of Personal Data only related to business services. Where Ocean View Hotel engages sub-processors, it shall impose the Personal Data Processing obligations set out in this clause on such sub-processor;

(e) inform Guest of any requests or queries from a data subject, regulatory authority or any other law enforcement authority regarding the Processing of Personal Data under the Agreement and provide the Guest with any information and assistance that may reasonably be required to respond to such requests or queries;

(f) provide reasonable assistance to the Guest, Vendor or Employee at their cost, in respect of compliance with Art 32-36 of the GDPR, taking into account the nature of the Processing undertaken by Ocean View Hotel and the information available to the Hotel;

(g) at the choice of the Guest to, delete or return all Personal Data to the Guest after the end of the Processing of Personal Data under the Agreement, unless Ocean View Hotel is required to retain the Personal Data by applicable law;

(h) notify the Guest without undue delay on becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored of processed by Ocean View Hotel in connection with the services; and

(i) make available to the Guest, information reasonably necessary to demonstrate compliance with Ocean View Hotel Personal Data Processing obligations under this Clause.