Information on Starwood’s Guest Data Protection Standards

Starwood Hotels & Resorts Worldwide, LLC. (a subsidiary of Marriot International, Inc.), of the Starwood Group, is dedicated to protecting the privacy of our Guests and safeguarding their Personal Data. Starwood's mission is to consistently exceed our Guests' expectations in terms of the products and services we provide to our business and leisure travelers. We strive to create an experience that is responsive to our Guests' needs by using the information they entrust to us responsibly.

To achieve our mission Starwood has adopted Binding Corporate Rules for the processing of Guest Data. These internal principles, titled Guest Data Protection Standards (the “Guest Standards”), define Starwood’s global policy with regard to international transfers of Guest Data between Starwood Group Members (namely our hotels, offices and call centers).

Starwood’s Guest Data Protection Commitment

Starwood’s commitment to the protection of Guest Data includes the following:

  • No matter where our Guests reside, which Starwood hotel or resort they are visiting, or how they interact with Starwood, they will receive the same level of Personal Data protection.
  • To ensure this protection is consistent, Starwood requires that its hotels, call centers, and corporate locations be bound by and comply with our Guest Data Protection Standards (‘Guest Standards’) and all related Starwood policies when Processing Guest Data. Starwood routinely monitors to ensure that these requirements are met.
  • While Starwood strives for consistency in data protection, if any local law requires a higher level of protection than our Guest Standards, the applicable higher requirements of local law will take precedence.
  • Starwood commits to cooperate and respond diligently with data protection authorities and regulators to ensure that these Guest Standards are complied with across our organization. Starwood, through its Belgian subsidiary, will also report at least once a year. Any substantive changes to the Guest Standards or material changes to the Starwood organization, to the relevant Data Protection Authorities.
  • Starwood will maintain a robust privacy program with global reach to ensure compliance with our Guest Standards and privacy policies. This program includes assigning responsibilities, training our employees who handle or process Guest Data, auditing, and addressing the concerns of our Guests with regard to our data privacy practices.
  • Starwood will diligently respond to Guest concerns regarding our privacy practices and any complaints relating to the violation of the Guest Standards or applicable local data protection law. Starwood’s privacy office is responsible for reviewing and closing these cases.
  • Guests may submit their complaints online, by telephone, email or letter to the Starwood Customer Service department.
  • Guests will be notified in writing and without undue delay of the outcome of the investigation and of any remedial measures.
  • Guests in the European Economic Area (EEA) may at any time file a complaint with a competent Data Protection Authority or file a claim with the competent court to seek redress for any alleged losses incurred from breach of these Guest Standards. In the case of breach of the Guest Standards, whether or not the breach occurred in the EEA or outside, Guest whose data have been exported by a Starwood Group Member in the EEA to a Starwood Group Member outside the EEA can choose to file the complaint or claim against either
    • The Starwood Group Member in the EEA who exported their Data at the competent Data Protection Authority or court of that Starwood Group Member’s jurisdiction, or
    • Starwood EAME Service Company BVBA at the competent Data Protection Authority or court of Brussels, Belgium.
    • When a Guest suffers direct damages and establishes facts which show that the damage occurred because of a breach of the Guest Standards, and the Guest introduces a claim in consideration of the above, the burden will be on the Starwood Group Member against which the claim is submitted (and not the Guest) to prove that the Starwood Group Member is not responsible for the breach of the Guest Standards giving rise to those damages, or that the alleged breach did not take place.
    • In no event and to the extent permitted by applicable local law will any Starwood Group Member be held liable for indirect, incidental, special or consequential damages, including, but not limited to, loss of profits and business opportunities.
    • The interpretation and application of the Guest Standards will be governed by Belgian law. For the avoidance of doubt, nothing in the Guest Standards waives or varies the rights of Guests under their applicable local data protection law.
    • Guests may request a copy of the Guest Standards and the list of Starwood Group Members bound by the Guest Standards by sending a request by email to consumer.privacy@starwoodhotels.com or by writing us at:

    Starwood Hotels & Resorts Worldwide, LLC.

    One StarPoint Stamford, CT 06902 USA

    Attention: Consumer Affairs – Privacy

    Starwood’s Guest Data Protection Principles

    The Guest Standards comprise the following principles which are the foundation for the protection of Guest Data at Starwood and represent the basis of our global Privacy program. All other Starwood privacy policies or supporting documentation, such as the Online Privacy Statement, incorporate and act to support these principles. Whenever a Starwood Group Member Processes Guest Data, it will comply with the following data protection principles:

    Principle 1: Processing Guest Data Lawfully, Fairly and Transparently

    Starwood and its Group Members will Process Guest Data lawfully and fairly and in a transparent manner for its Guests.

    The Processing of Guest Data will be considered lawful and fair if at least one of the following conditions applies:

    • the Guest has unambiguously given prior, informed and freely given consent; or
    • Processing is necessary for the performance of a contract to which the Guest is a party or in order to take steps at the request of the Guest prior to entering into a contract; or
    • Processing is necessary for compliance with a legal obligation to which the Starwood Group Member is subject; or
    • Processing is necessary in order to protect the vital interests of the Guest; or
    • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Starwood Group Member or in a Third Party to whom the data are disclosed; or
    • Processing is necessary for the purposes of the legitimate interests pursued by the Starwood Group Member or by the Third Party or Parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the Guest.

    Sensitive Personal Data may only be Processed in compliance with the additional restrictions set by the applicable local law of the Data Controller Starwood will inform Guests about the Processing of their Personal Data in a transparent manner by having clear and easily accessible information, including about the exercise of their rights. Such information will include at least:

    • our identity and the contact details;
    • the purposes of the Processing for which their Personal Data are intended;
    • how their Personal Data will be used;
    • the period for which their Personal Data will be stored;
    • with whom (or categories of Third Parties) their Personal Data would be shared with;
    • the existence of the right to request from Starwood access to and rectification or erasure of their Personal Data concerning the Guest or to object to the Processing of such Personal Data;
    • any additional practices regarding Sensitive Personal Data; and
    • any further information which might be necessary in order to ensure that the Processing is made in a transparent manner.

    To learn more about how Starwood Processes Guest Data online, please visit our Online Privacy Statement


    Principle 2: Starwood and Partner Direct Marketing

    Starwood will clearly and distinctly inform Guests at the time of the collection of their Guest Data and will give Guests the opportunity to object to the Processing of their Guest Data for direct marketing of Starwood’s own or similar products and services via any marketing channels. Similarly, Guest Data will only be processed for direct marketing of non-Starwood products and services or shared with third party marketing partners after the Guest has given prior, informed and freely given consent. Guests will be given the opportunity to opt-out of direct marketing communications via any channel on request, free of charge, and in an easy manner. To learn more about opting out online, please visit our Online Privacy Statement. Starwood will also communicate this opt out choice to the other Starwood Group Members and Third Parties to whom they transfer Guest Data for marketing purposes.


    Principle 3: Purpose Limitation

    Guest Data will be collected for specified, explicit and legitimate purposes and not further Processed in a way incompatible with those purposes.



    Principle 4: Data Minimization

    Starwood strives to only collect the Guest Data it needs. Any Guest Data collected by Starwood will be adequate, relevant and not excessive in relation to their intended purpose. Where Starwood can achieve its purposes without Processing or using Guest Data, it will.


    Principle 5: Data Accuracy

    Starwood takes all reasonable steps to ensure its Guest Data is current and up to date. Individuals who believe their Guest Data may be out of date or incorrect please contact us or update your Starwood Preferred Guest program member profile.


    Principle 6: Data Retention Minimization

    Starwood will keep Guest Data in a form which permits the identification of Guests for no longer than it is necessary for the purposes for which the Guest Data were collected or for which the data are further Processed.


    Principle 7: Security of Guest Data

    Starwood and its Group Members will have policies and institute appropriate technical and organizational measures to protect Guest Data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of Guest Data over a network, and against other unlawful forms of Processing. These measures will ensure a level of security appropriate to the risks represented by the Processing and the nature of the Guest Data. For more information about Starwood’s online security, please see our Online Privacy Statement.


    Principle 8: Guests’ Rights to their Personal Data

    Guests, upon confirming their identity, may request to have access to their Personal Data or to have their Personal Data updated, erased or blocked. In addition to the right to object for direct marketing purposes as stated in Principle 2, each Guest will have the right to object at any time, on request and free of charge, to the processing of his or her Personal Data for processing based on Principle 1 paragraph 2, bullet points 5 and 6 if the Guest can demonstrate compelling legitimate grounds relating to his or her particular situation to the processing of data relating to him, unless where otherwise provided by applicable law. Where there is a justified objection, the processing instigated by Starwood shall no longer involve those data. Guests may also request confirmation if Personal Data about them are being Processed and what that data constitutes. This includes receiving the Guest Data about them and their source, in an understandable form.

    Guests may request their Guest Data be erased from Starwood or its Group Members, if one of the following circumstances exist:

    • Guest Data are no longer necessary for the purposes for which they were collected or Processed;
    • a Guest withdraws consent, consent has expired, or a legal ground for the Processing does not exist;
    • a Guest justifiably objects to the Processing of his/her Personal Data, including where his/her data is Processed for direct marketing purposes;
    • a court or regulatory authority has ruled that the Guest Data concerned must be erased; or
    • the Guest Data has been unlawfully Processed.

    For more information about how to submit such requests, please see our Online Privacy Statement.

  • In the event that one of the above applies, the Starwood Group Member will communicate any request for correction or deletion carried out to other Starwood Group Members and/or Third Parties to whom the Guest Data have been transferred, unless this proves impossible or involves a disproportionate effort, and will inform the Guest about those recipients upon request.


    Principle 9: Rights in Automated Individual Decisions

    Starwood is not in the business of making legal decisions based on Guest Data. However in the unlikely situation that Starwood needs to do so, it will not undertake evaluations or decisions about a Guest which result in legal effects based solely on automated Processing of Guest Data, unless that decision:

    • is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, is lodged by the Guest, has been satisfied, or that there are suitable measures to safeguard his/her legitimate interests, such as arrangements allowing him/her to put forth his/her point of view; or
    • is authorized by applicable law which also lays down measures to safeguard the Guest’s legitimate interests. Guests may request a manual assessment and an explanation of the decision reached after such assessment.

    Principle 10: Third Parties Receiving Guest Data

    Any third party Data Processors Starwood and its Group Members utilize will provide at least the same level of protection of Guest’s data and rights as Starwood. This Processing will include:

    • a contract legally binding the Data Processor to the Starwood Group Member;
    • an acknowledgment that the Data Processor will only act on instructions from the Starwood Group Member; and
    • at least the same level of security as required by Starwood.

    For Guest Data being sent outside of the Starwood Group and of the borders of the EEA, Data Processors must either be deemed adequate for data protection or offer guarantees satisfying European Union laws on Data Protection.


    Definitions

    Term Definition
    Data Controller A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
    Data Exporter A party located in the European Economic Area who transfers Personal Data to a party located outside the European Economic Area (a Data Importer).
    Data Importer A party located outside the European Economic Area who receives Personal Data from a party located in the European Economic Area (a Data Exporter).
    Data Processor A natural or legal person, public authority, agency or any other body which Processes Personal Data on behalf of the Data Controller.
    Data Protection Authority (DPA) An independent supervisory public authority which is responsible for monitoring the application of the Personal Data protection laws within its jurisdiction (country, region or international organization) and for contributing to its consistent application in its jurisdiction.
    Data Subject A natural person whose Personal Data are Processed. For the purposes of these Guest Standards, Data Subjects are Guests.
    Guest An individual staying at a Starwood Property or using Starwood’s products and services. The definition also includes any individual who may potentially stay at a Starwood Property, or who may purchase Starwood’s products and services (i.e., a potential Guest) as well as individuals who are a contact person of a business, governmental, or other entity, which may purchase Starwood’s products and services (e.g., business to business sales).
    Guest Data Any Personal Data relating to a Guest.
    Guest Standards The short title for Starwood’s Guest Data Protection Standards, this document, including its Appendices.