We are committed to protecting and respecting your privacy. This Privacy Notice (this “Notice”) governs the collection and use of personal data by Jumeirah International LLC, its affiliates or any company it controls. It explains how and why we use your personal data and applies to the personal data that you provide us directly, or which we may obtain from other sources.
We may use your personal data for any of the purposes described in this Notice, or as otherwise stated at the point of collection. For more information about Jumeirah International LLC please see https://www.jumeirah.com.
References to "our", "us" or "we" within this Notice are to Jumeirah International LLC, P.O. Box 73137, Dubai, United Arab Emirates, privacyoffice@jumeirah.com.
We are the data controller of your personal data. We decide how and why your personal data is processed, either alone or jointly with others.
If you visit our venues or use our facilities and services, the entity which manages the relevant venue, facility or service will also be a data controller in respect of your personal information. You can access a ‘Data Controller List’ here, which sets out all of our different entities and their contact details. This will enable you to identify the relevant entity that holds, processes, and secures your personal data and is the data controller in relation to your personal data.
In this Notice we refer to “processing” your “personal data”.
Processing is taken to mean anything that is done to or with personal data (including simply collecting, storing or deleting that data).
Personal data is any information relating to an identified or identifiable living person (for example, name, address, telephone number). When “you” or “your” are used in this Notice, we are referring to the relevant individual who is the subject of the personal data. Relevant individuals may include Primary Guests, Secondary Guests, and Children (as defined below).
Primary Guests: The individual or entity directly engaging with our services or products.
Secondary Guests: Individuals associated with the Primary Guest who benefit from or are involved in the service.
Children: Any individuals below 16 years of age.
Sensitive Data: Includes data that reveals racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, and data concerning health.
Where we may use cookies, you can also control the data stored by cookies and withdraw consent to cookies by using the browser-based cookie controls described in our Cookie Policy available on our websites.
To provide services to you, we may process different categories of personal data whilst adhering to the data minimization and purpose limitation principles in accordance with the applicable data protection law. As described below:
Contact Details: Includes, but is not limited to, home address, home/personal mobile number, personal email address, and emergency contact number.
Identification Data: Includes, but is not limited to, name, title, company, individual physical description, photo, citizenship, nationality, passport data, visa information, driver’s license information, resident country's ID, marriage certificate, birth certificate, education certificates, national/social insurance number (if applicable), health insurance, government retirement plan information, and tax reference/ID (if applicable).
Sensitive Data: Includes data that reveals racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, and data concerning health.
Web Data: Includes, but is not limited to, cookies, user activity logs, IP address, social media profile, and website visitor interaction data.
Financial Data: Includes, but is not limited to, card details and bank details.
Other Personal Data: Includes, but is not limited to, date of birth, age, gender, voice recording, religion, languages spoken, place of birth, marital status, country of residence, family, signature and driving license number.
Travel/Stay Information: Includes, but is not limited to, travel history, loyalty scheme information, preferences, stay information, feedback/analysis, product purchase information, reservation history, VIP status, tenancy contract, and occupancy information.
The reason these categories of personal data are processed, along with our lawful basis for doing so, are set out in the table below.
Personal Data Directly Obtained from You
CCTV: We use CCTV in our premises in order to better ensure the safety and security of our guests and our staff. It is in our legitimate interest to process any personal data captured. Your personal data will not be kept longer than necessary to meet the purposes detailed above. CCTV signage is in place where required by local laws or regulations.
Facial Recognition: We use facial recognition technology to provide a seamless online check-in experience and to personalise your stay with us, including to provide you with mobile room keys (‘Smart Key’) when requested and book chauffeur driven car services. We use this technology to identify you by comparing a photograph that you upload (e.g., a selfie) against a document which you also upload (such as your passport or National ID card). Our staff will not be able to view the photograph you upload; they will verify your identity via your passport or other relevant identification. This technology is only used for selected Dubai hotels. The data collected for this technology is as follows:
- Photograph (e.g., selfie);
- Passport or National ID card; and
- Credit card details (for pre-authorisation purposes only).
Once you have checked-in online, you can activate a Smart Key from the Jumeirah One app. We will use the data provided above to activate the Smart Key. For both Android and iOS devices, we will also ask you to enable your Bluetooth and your permission to use location services. This is because we use Bluetooth Low Energy technology to send messages between our IT servers and the Jumeirah One app to enable the functionality of the Smart Key. The use of Bluetooth Low Energy will determine the proximity between your device and our IT servers but does not collect precise geolocation data. Therefore, your location is never used for tracking purposes or shared with third parties. Once the Smart Key is activated, we will create a unique ID for identifying your device accompanied by your room number to ensure the Smart Key works for your room only. If you wish to share the Smart Key with other guests, we will ask you for their email address and request that they provide us with the same information provided above, therefore they will be subject to facial recognition technology. Please note that if you wish to activate a Smart Key but have not checked-in online, you will also be asked to provide an email address and the information noted above for facial recognition purposes. The Smart Key will not be available to Children.
We rely on your consent to process this personal data for facial recognition technology purposes described in this section above. For sensitive data, we process, we rely on your explicit consent. You are not obliged to use the Jumeirah One app to check-in, and we will only use the facial recognition technology after you have given your consent. Primary Guests can consent through the Jumeirah One app and Secondary Guests through an email sent by us (if provided by the Primary Guests). You can withdraw your consent at any time. Primary Guests can do so through the Jumeirah One app and Secondary Guests by replying to our initial email.
The technology is only used for adult guests in some of our hotels in Dubai and will not be used for guests who are Children. In relation to Children, only photos of identification documents will be collected for check-in purposes on the lawful basis of consent from their parents or relevant persons with parental responsibility for the Children in question. A Child can exercise their data subject rights as described below (under “your rights”).
Your personal data will be shared with our third-party technology partner (for facial recognition) and third-party service providers. As part of the standard check-in process (irrespective of whether you are checking in via the Jumeirah One app), your personal data will also be shared with the Government of Dubai to comply with our legal obligations (the lawful basis we rely on for this processing is a legal obligation). Primary Guests will receive an alert on the Jumeirah One app when their personal data is shared with the authorities on behalf of all guests in your party.
Your personal data will be deleted 48 hours after you check out unless you have indicated otherwise via the Jumeirah One app. If you have indicated that you consent to your data being retained for a longer period to avoid re-supplying us with your photograph or other personal data on your next visit, your personal data processed for facial recognition purposes will be held for a period of 90 days after you check-out. Any personal data we have shared with the Government of Dubai will be retained by them in line with their own retention policy.
For facial recognition purposes, your data will only be processed in the United Arab Emirates (“UAE”) and will not be transferred outside of the UAE. However, when activating a Smart Key, the unique ID we have generated for your device and accompanying room number (described above) will be transferred through the USA but not stored outside the UAE. No further processing will take place for facial recognition purposes other than as described above. Any personal data collected may be anonymised for research and analytical purposes.
If you have any queries relating to how facial recognition technology is applied to your data or would like to make a request relating to your data, you can contact us via the methods described below (under “contacting us”).
Personal Data Indirectly Obtained from Others
We may also receive some information about you from third parties. These are further detailed below:
Medical Service Providers: As necessary, we obtain your personal data from medical service providers when accidents and incidents occur, as well as in order to provide medical care when required.
Financial Service Providers: As necessary, we obtain your personal data from financial service providers for membership information purposes and to fulfill contracts or services.
Social Media Platforms: As necessary, we obtain your personal data from social media platforms for analytics purposes, in order to manage and progress complaints, for marketing purposes, in order to improve the services provided and to conduct surveys.
Airport Service Providers: As necessary, we obtain your personal data from airport service providers for membership information purposes and to manage and fulfill bookings.
Transport and Leisure Websites: As necessary, we obtain your personal data from travel and restaurant websites to manage and fulfill reservations, facilitate the check-in and check-out process, handle complaints, manage competitions and events, and provide medical care when required. This also includes collecting membership information for a seamless travel and dining experience.
To the extent necessary, we will also receive your personal data from other entities within the Jumeirah International LLC group of companies, including our subsidiaries and holding companies.
Legitimate Interest
Where we rely upon legitimate interest as a lawful basis, we have balanced your rights and freedoms against our interests, or those of any third parties, and determined your rights are not infringed. Legitimate Interest is where your personal data is processed for either our own interests or the interests of third parties. This can include commercial interests, individual interests or broader societal benefits.
We are required under the Kingdom of Saudi Arabia's Personal Data Protection Law to inform you that where the law applies, collecting and processing your personal data is mandatory in order for us to guarantee your rights as a customer and provide you with a suitable service experience. Where we are required by applicable laws or professional standards to collect personal data and you fail to provide that data when requested, we may not be able to offer you our services.
Your personal data will not be kept longer than necessary to meet the purposes detailed above. The criteria that we use to determine how long we will keep your personal data includes the period of time during which we have an ongoing relationship with you, and whether we have a legal obligation to store it (for example, for accounting purposes or for litigation, or regulatory investigations purposes). For the storage period please refer to the section titled "What do we collect from you and how do we use it ?" above.
Should retention of your personal data no longer be required we will remove it from our systems and records and/or take steps to properly anonymise it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).
Where necessary to fulfil the purposes described in this Notice, we shall disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below. For facial recognition purposes, your personal data is shared with third parties as described above in section titled "What do we collect from you and how do we use it?".
Jumeirah International LLC forms part of Dubai Holding Corporate LLC and its subsidiaries. To the extent necessary, and where we have a lawful basis to do so, we will also share your personal data with other entities within Dubai Holding Corporate LLC’s group of companies, including our subsidiaries and holding companies.
Where we share personal data, we do so with the following parties for the following purposes:
Where we have a lawful basis to do so, we will use your personal data to evaluate certain personal aspects about you, such as to analyse or predict aspects concerning your economic situation, personal preferences, interests, reliability, behaviour, location or movements. This is known as “Profiling”. We only conduct profiling where it will not have a legal or other significant effect on you. We undertake profiling to help tailor our marketing to you.
When processing your personal data, we may transfer this to third parties based in other countries, to the extent necessary to fulfil the purposes described in this Notice. Your personal data may be transferred within the Dubai Holding Corporate LLC’s group of companies, including to our subsidiaries and holding companies. Such transfers shall always be done in compliance with relevant data protection laws. The majority of personal data processed by us is stored in the United Arab Emirates, where the appropriate data protection measures are in place.
For transfers of personal data from the UK and European Economic Area (“EEA”) we transfer personal data to entities outside the EEA, under the EU Standard Data Protection Clauses. Further information about transfers can be obtained by contacting us using the following email address privacyoffice@jumeirah.com.
To the extent required, we will also transfer your personal data to third parties in connection with a reorganization, restructuring, merger, acquisition, or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with applicable laws and requirements.
We have implemented technology and operational security measures in order to protect personal data from loss, misuse, alteration, or destruction. Only authorised persons are provided access to personal data; such individuals have agreed to maintain the confidentiality of this personal data.
You may have certain rights relating to your personal data. However, these rights can differ depending upon the country in which you are located. That country’s law will determine which rights apply and in what instances.
Right to Withdraw Consent: Where you have provided your consent to us, you will always have the right to withdraw this at any time. You can do this by either following the information provided at the time you provided your consent, or by contacting us using the following email address privacyoffice@jumeirah.com. The withdrawal of consent will not affect any processing that was based on consent before its withdrawal.
Right to Request Correction of Your Personal Data: You will always have the right to request that we correct or update any personal data that we process about you that is inaccurate or incomplete. You can do this by contacting us at privacyoffice@jumeirah.com.
Right to Restrict the Processing of Your Personal Data: You have the right to ask us to restrict, suspend, or stop the processing of your data. You can do this by contacting us at privacyoffice@jumeirah.com.
Right to Request Deletion of Your Personal Data: You have the right to request your personal data to be deleted. You can do this by contacting us at privacyoffice@jumeirah.com.
Right to Object to the Processing of Your Personal Data: You have the right to object to our processing of your personal data. You can do this by contacting us at privacyoffice@jumeirah.com.
Right to Obtain a Copy of Your Personal Data: You have the right to obtain a copy of your personal data in a commonly used and machine-readable format. You can do this by contacting us at privacyoffice@jumeirah.com.
Right to Lodge a Complaint: You have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or the country in which an alleged infringement of data protection law has occurred.
It is important to understand that these rights are not absolute (e.g., their application may depend upon the lawful basis we rely upon to process your personal data) and that we may require further information from you (e.g., to confirm your identity) in order to action your request.
Artificial Intelligence (AI) Systems:
We use AI Systems that process personal data to enable us to improve our services and user experiences. We remain vigilant when using AI to protect personal data, ensuring customer privacy, and preventing unauthorised or fraudulent activity. Our customers and stakeholders shall remain confident that personal data is adequately protected with us, especially in cases where AI is used to deliver the product or service, as this may infer heightened protection where AI is deployed.
How we use AI Systems
This notice gives you information on how we protect your personal data in our use of the AI System.
Personal data may be processed within our AI Systems. We remain the data controller for your personal data when it is processed while using our AI Systems. We process personal data in accordance with the relevant data protection laws. In the case where we have engaged a processor, we have mandated contracts that uphold our standards in compliance with the relevant data protection laws.
We will sometimes process customers' personal data when using AI Systems. We have regulated the use of AI internally, weighed the opportunities and risks in advance of our use of AI and ensured appropriate human supervision where important matters are concerned. Where we offer dialogues with an AI, we will make this evident and, if necessary, point out potential errors.
Personal Data Processed by AI Systems
We may collect personal data either directly from you, third parties or public sources. We process your personal data using AI Systems to improve the efficiency, quality, and speed of our business processes and for the purpose of providing services. When using AI systems, we may process various types of personal data. For more information, please refer to the section titled "What do we collect from you and how do we use it?".
In limited circumstances, we may process sensitive data through the AI System, but we will ensure that we have the necessary lawful basis in place before doing so. Where we process your existing personal data we will continue to rely on the appropriate lawful basis for that processing activity. In certain instances, we engage data processors; however, they are unable to access any of your personal data entered in the AI Systems. We have mandated contracts with data processors to ensure that your personal data is protected.
If you want to exercise any of the rights set out above or have any questions or concerns about how we treat your personal data, please contact us at privacyoffice@jumeirah.com or by writing to us at: Jumeirah International LLC, PO Box 73137, Dubai, United Arab Emirates. Please include your reply address when you write to us.
We keep this Notice under regular review. We reserve the right, at our discretion, to change, modify, add or remove sections of this Notice at any time. You are also encouraged to review this Notice from time to time for updates. We will notify you of any changes (including when they will take effect) if we are required to do so by data protection laws.
