Hostelworld – Offline Groups Data Protection Notice
This data protection notice sets out details of the personal data relating to you that we collect and how we will process it when providing our group bookings service.
Hostelworld.com Limited of 1 Central Park, Leopardstown, Dublin 18, Ireland, is the controller of the personal data that is referred to in this notice. If you have any questions about our use of your personal data, please contact us at firstname.lastname@example.org. Alternatively, you can get in touch with our Data Protection Officer at DataProtectionOfficer@hostelworld.com.
Personal Data that We Process
We process the following personal data about you, which we collect directly from you:
- Biographical and Contact Details – Your name, phone number, and email address.
- Payment Details – Details of the debit or credit card that is used to make the booking. We may also later ask you for your banking details in the instance that a refund is owed to you from the travel service provider in relation to your booking.
Purposes of Processing and Legal Basis
We process your personal data in order to make the booking with the relevant travel services provider, and to deal with any queries that you may have in relation to the booking. The basis for our processing of your personal data is primarily that it is necessary in order for us to do so in order to enter into a contract with you, and then to perform that contract. Any other processing of personal data is on the basis that it is required in order for us to pursue our legitimate interest in making the group booking service available and improving our services.
Personal Data that We Require You to Provide
You are required to provide us with the personal data that is detailed above in order for us to be able to provide you with the group booking service. If you do not provide the information, we will not be able to provide you with the group booking service.
Recipients of Data
We may disclose your personal data to various recipients in connection with the above purposes, including:
- Travel Services Provider(s) – We will disclose the following details to travel services providers in order to make your booking: name, email address, and phone number.
- Group Companies – There are a number of companies in our group that help us to provide our services. These include a subsidiary in the UK that provides help with our marketing initiatives, a subsidiary in Portugal that provides development services, and a subsidiary in South Korea that helps to service our customers in Asia. We also have offices in China and Australia that help us service those markets. These subsidiaries and offices may have access to your personal data in providing us with intra-group services, but they only process it in accordance with our instructions and subject to appropriate safeguards.
- Our Service Providers – We use a large number of specialist service providers to assist us in operating our business and to provide us with specialist services. Not all of these service providers will have access to your personal data, but where they do we make sure that they are carefully selected by us to ensure that they respect your privacy rights.
There are certain circumstances where we will transfer your personal data outside of the European Union to a country which is not recognised by the European Commission as providing an equivalent level of protection for personal data as is provided for in the European Union. The most common of these is where we transfer personal data to an accommodation provider so that they can fulfil your booking. We may also transfer your personal data outside of the European Union in connection with the operation of our business, such as when we use a service provider that is based in another jurisdiction. If we transfer your personal data outside of the European Union please rest assured that we will ensure that appropriate measures are in place to protect your personal data and to comply with our obligations under applicable data protection law.
When we transfer your personal data outside of the European Union, if required under data protection law we will either enter into contracts in the form approved by the European Commission with the entity that we transfer data to, or we will ensure that the company to which we transfer your personal data has agreed to abide by an approved transfer mechanism (such as the EU-US Privacy Shield framework). If you would like further details about the measures we have taken in relation to the transfer of your personal data, or copies of the agreements that we have put in place in relation to the transfers, please contact us at DataProteectionOfficer@hostelworld.com.
We retain your personal data in accordance with our record retention policy. The record retention policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it, and in accordance with any requirements that are imposed on us by law. This means that the retention period for your personal data will vary depending on the type of personal data, as set out below:
- Transaction Data - If you are an active user of our groups booking service (i.e. you have made a booking in the last 18 months) we want to ensure that you have access to data in relation to your previous bookings, and that we have access to this data for our own business purposes. We therefore won't delete your transaction data whilst you remain an active customer, unless you ask us to do so. If you cease to be an active customer, we will retain your personal data for a period of 4 years, in case you return to our groups booking service and also so that we can continue to use transaction data to improve our services and undertake business analysis. After this 4 year period we anonymise the data, so that it is no longer possible for us to link it to you. However, our anonymisation process does let us re-identify you if you return to use our groups booking service and use the same email address to make a booking. Please also note that if you are subscribed to our marketing database we will retain certain details even after the 4 year period expires, as set out below.
- Marketing Data - We will keep a copy of personal data that is required in order to send you marketing messages for as long as you are subscribed to receive those marketing messages. We will also retain certain information in relation to your transactions in order to allow us to customise our marketing messages. If you are subscribed to receive marketing messages and your transaction data is anonymised in our main database, we will continue to retain certain details in relation to your transactions, such as where you have booked properties before, what types of property you have booked, your average length of stay, and what countries you have made bookings for.
For personal data that is not transaction data or related to email marketing, we will apply the following criteria:
- Managing legal claims - When we assess how long we keep personal data we take into account whether that data may be required in order to defend any legal claims which may be made. If such data is required, we may keep it until the statute of limitations runs out in relation to the type of claim that can be made (which varies from 2 to 12 years).
- Business requirements - As we only collect personal data for defined purposes, we assess how long we need to keep personal data for in order to meet our reasonable business purposes.
You have the following rights, in certain circumstances, in relation to your personal data:
- Right to access the data - You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
- Right to rectification - You have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
- Right to erasure - You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
- Right to restriction of processing or to object to processing - You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
- Right to data portability - You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
In order to exercise any of the rights set out above, please contact us at DataProtectionOfficer@hostelworld.com.
You have the right to lodge a complaint with the Irish Data Protection Commissioner (https://www.dataprotection.ie/docs/Contact-us/11.htm), or your local supervisory authority.
Please enter the password for the account <% email %>