PRIVACY POLICY FOR EMPLOYEES IN GERMANY

1. Introduction

We are committed to protecting the personal data of our current and former employees and our job applicants.

This Privacy Policy for Employees in Germany informs you about how we store, use, disclose or otherwise process your personal data if you:

• are currently employed or are a temporary staff member; or
• have been employed or were a temporary staff member in the past; or
• apply to be an employee or if your employer intends to employ you as a temporary staff member,

at a Hyatt location in Germany (“you” or the “Employee”).

As you are an Employee in Germany, your personal data will be protected, in particular, by the provisions of the General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) (“German Federal Data Protection Act”).

2. The controller responsible for processing your personal data

Your personal data will be processed for the purposes set out in section 4 (Purposes and legal grounds of data processing) by the entity: (a) which is employing you (or engaging you where you are a temporary staff member); (b) has previously employed you (or engaged you where you were a temporary staff member); or (c) to which you are applying for employment (or to which your employer intends to assign you as a temporary staff member) (your “Employer”). Your Employer will be the entity listed in your employment or engagement contract or application form (as applicable).

If you need further help identifying your Employer, please contact us using the contact details specified in section 12 (Contact).

Your personal data may possibly also be disclosed to and processed by individual other Hyatt entities for HR administration purposes. For further information about who we disclose your personal data to, please refer to section 5 (Recipients of your personal data).

Depending on the context, references to “Hyatt”, “we” and “our” in this Privacy Policy are references to either your Employer or to one or more of the relevant Hyatt entities referred to above if they process your personal data as controllers. Controller pursuant to European and German data protection law means the person which determines the purposes and means of the processing of personal data.

3. Categories of personal data we process

In this section we would like to give you an introduction to and overview of the categories of personal data that we process and the sources from which we obtain personal data.

For a complete and exhaustive list of all data categories and sources, please see section 3.4.

3.1 Personal data

The term “personal data” as used in this Privacy Policy means any information that relates to you as a natural person, to the extent that you are identified in that information or are capable of being identified from that information. For example, you may be identified by your name, an identification number, your location, an online identifier (like a user ID or email address) or by factors that are specific to your physical or economic identity. You may also be identified by a combination of different data. This Privacy Policy applies regardless of whether we store and process your personal data orally, by electronic means and/or in writing.

3.2 Sensitive personal data

In certain cases, we also process sensitive personal data about you. This includes special categories of personal data, which may reveal, in particular, political opinions, religious or philosophical beliefs or trade union membership of Employees. Data concerning health or data concerning an Employee’s sex life or sexual orientation also belong to these special categories of personal data. Personal data relating to criminal convictions and offences or related security measures are also particularly sensitive.

3.3 Sources from which your data originate

Most personal data we process is data that you knowingly provide to us. However, in some cases, we process personal data that we infer about you from other information you provide to us or that we infer during our interactions with you, for example your use of access cards to move around Hyatt locations or properties or your log-in details as you access our IT systems. In some cases, we also process personal data about you which we receive from third parties (e.g. recruitment agents) using a process that we have informed you about.

3.4 Overview of categories and sources of data

The following table sets out the categories of personal data we process about you and the sources from which we obtain these data:

Category	Details	Source
Personal identifiers	· First name · Last name · Salutation · Gender · Date of birth · Marital status · Religious confession · Emergency contacts · Login details (e.g. your Hyatt Global ID)	You
Data about nationality and residency	· Residency and work permit status · Military status · Nationality · Passport information	You
Contact details	· Address · Telephone number · Email address	You
Accounting data	· Banking details · Social security or other taxpayer identification number · Expense reports and transaction history	You
Information for Employee benefits	· Information on working hours, vacation times, sick leaves · Vacation entitlement and requests · Information on pay, sick pay, pensions, insurance and other benefits · Information on the gender, age, nationality and passport information of spouses, minor children or other eligible dependants and beneficiaries	You
Qualification data	· Date of hire · Date(s) of promotion(s) · Job description (e.g. level, title, location and responsibilities) · Work history (including details of current and/or former employers) · Technical skills · Educational background · Professional certifications and registrations · Language capabilities · Training courses attended	You We Third parties (e.g. recruitment agents)
Development data	· Records of work absences · Salary history and expectations · Performance appraisals · Guest, customer and colleague feedback, results of secret shopper programmes · Letters of appreciation and recommendation · Selection and development assessments · Discipline and grievance procedures · Training attendance	You We
Physical data	· Height · Clothing sizes · Physical limitations · Special needs	You We
Photo	· Photo	You
Reliability data	To the extent permitted by law and appropriate, in view of the function to be carried out by an Employee: · Results of credit checks (for example where you work in finance teams, casinos or otherwise handle large amounts of cash) · Results of criminal background checks (again, for example where you work in finance teams, casinos or otherwise handle large amounts of cash) · Health certifications (for example where you work in our gyms, pools or spas) · Driving licence number, vehicle registration and previous traffic offences (for example where you operate as a hotel driver for guests, delivery driver or in a similar role)	You Third parties (e.g. background check vendors)
Compliance data	Information required to comply with laws, the requests and directions of law enforcement authorities or court orders, e.g.: · Child support information · Debt payment information	You Third parties (authorities, courts)
Data on agreements	· Acknowledgements and agreements regarding Hyatt policies, including ethics and/or conflicts of interest policies, and computer and other corporate resource usage policies (e.g. the Acceptable Use Policy, which you can find on Hyattconnect)	You We
Security data	Information captured on security systems, to the extent permitted by applicable law: · Data stored in Closed Circuit Television (“CCTV”) systems, i.e. images and videos · Data stored in key card entry systems, i.e. information identifying the key card an Employee used to gain access at a specific place and time · Data stored in or collected by other security and technology systems, i.e. information used to facilitate remote access to our systems and to identify suspicious patterns in technology usage and/or financial management (e.g. IP address, geographic location, operating system, browser type and version)	We
Communication data	· Voicemails, voice messages · Emails · Correspondence · Other work products and communications created, stored or transmitted by Employees using Hyatt’s computers, networks or communication equipment	You
Termination data	· Date of resignation or termination · Reason for resignation or termination · Information relating to administering termination of employment (e.g. references)	You We

 

4. Purposes and legal grounds of data processing

In this section we would like to give you an introduction to and overview of the legal grounds pursuant to which we process personal data and the purposes for which we process personal data.

For a complete and exhaustive list of all legal grounds and purposes, please see clause 4.8.

4.1 To take pre-contractual steps (Article 6(1)(b) GDPR)

If you apply to us for employment or if you are considered for a temporary position with us, we will process personal data about you as part of our application process, in order to be able to decide whether to employ or engage you and, if we decide to do so, to be able to take all necessary steps to recruit you.

4.2 To perform your employment contract (Article 6(1)(b) GDPR)

If you are employed by us or occupy a temporary position, we will store and process your personal data for administrative, HR and payroll purposes and in order to perform all our obligations arising from your employment contract with us or temporary engagement, and the termination or expiry of the same.

4.3 To comply with our legal obligations (Article 6(1)(c) GDPR)

As your Employer, we are also subject to legal obligations to store and process certain personal data. In particular, we are subject to the following obligations pursuant to the German laws applicable in the individual case:

• retaining certain records and documents;
• recording and maintaining information about working hours and remunerations; and
• notifying certain information about the Employees to insurance providers, the authority responsible for social welfare and other competent authorities.

4.4 On the basis of our legitimate interests (Article 6(1)(f) GDPR)

We also process some of your personal data because we have legitimate interests in processing the data and because your rights and interests do not override ours in this respect.

In particular, we have a legitimate interest:

• in being able to deploy our staff efficiently and to reliably determine future staffing needs;
• in being able to appraise and reward Hyatt staff;
• in being able to defend ourselves, our staff and our guests against claims;
• in being able to defend our householder's right to refuse entry and to clarify the facts in individual cases if there are specific grounds for suspicion;
• in being able to ensure the safety and security of Hyatt guests, customers, Employees, visitors, partners and property;
• to be legally compliant;

and processing personal data about you in this context.

If you would like to receive further information about the balancing of interests carried out in individual cases, please contact us using the contact details set out in section 12 (Contact).

4.5 On the basis of your consent (Article 6(1)(a) GDPR, section 26(2) German Federal Data Protection Act)

In individual cases, we will process personal data about you if you consent to such data processing. One example is publishing voluntarily your photo on our intranet, another example is recording calls in specific cases. In such cases, we will contact you separately.

If you give us consent for a certain data processing activity, you will have the right to withdraw your consent at any time with effect for the future by using the contact details specified in section 12 (Contact) stating that you no longer wish your personal data to be processed for the relevant purpose.

4.6 Sensitive personal data (Article 9, Article 10 GDPR, section 26(3) German Federal Data Protection Act)

Insofar as we process special categories of data about you, the main reason for doing so is to comply with our legal obligations, to which we are subject as your Employer in the field of employment law and social security and social protection law (Article 9(2)(b) GDPR, section 26(3) German Federal Data Protection Act).

We also process special categories of personal data about you insofar as this is necessary for the purposes of preventive or occupational medicine, for assessing your working capacity, for medical diagnosis, for the provision of health or social care or treatment (Article 9(2)(h) GDPR).

If, in individual cases, we process personal data relating to criminal convictions and offences or related security measures about one of our Employees, we will only do so if permitted by European Union law, the law of Germany or that of any other EU Member State and subject to such law providing for appropriate safeguards for the rights and freedoms of the Employee concerned (Article 10 GDPR).

4.7 To detect crimes (section 26(1) sentence 2 German Federal Data Protection Act)

If, in individual cases, we process personal data relating to one of our Employees to detect crimes, we will only do so if there is a documented reason to believe the Employee has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the Employee’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason.

4.8 Overview of purposes and legal grounds

The table below states for which purposes we process which categories of personal data about you and on which legal grounds we base such processing in each case:

Purposes	Categories of data	Legal grounds
Evaluate applications for employment	· Personal identifiers · Contact details · Qualification data · Reliability data · Communication data · Data about nationality and residency	· To take pre-contractual steps (Article 6(1)(b) GDPR)
Manage all aspects of an Employee’s employment relationship, in particular: · Payroll; · Social benefits; · Corporate travel and other reimbursable expenses; · Development and training; · Absence documentation; · Performance appraisal; and · Disciplinary and grievance processes.	· Personal identifiers · Data about nationality and residency · Contact details · Accounting data · Information for Employee benefits · Qualification data · Development data · Physical data · Reliability data · Compliance data · Data on agreements · Security data · Communication data	· To perform your employment contract (Article 6(1)(b) GDPR) · To comply with our legal obligations (Article 6(1)(c) GDPR) · On the basis of our legitimate interests in properly administering every aspect of the employment relationship with you, which may include taking into account the interests of your spouse, minor child or other eligible dependants and beneficiaries in receiving certain benefits, for example (Article 6(1)(f) GDPR) · For sensitive personal data: to comply with our legal obligations in the field of employment, social security and social protection law (Article 9(2)(b) GDPR, section 26(3) German Federal Data Protection Act) · For sensitive personal data: for the purposes of preventive health care or occupational medicine (Article 9(2)(h) GDPR)
Develop workforce and succession plans	· Personal identifiers · Data about nationality and residency · Information for Employee benefits · Qualification data · Development data · Reliability data	· On the basis of our legitimate interests in being able to deploy our staff efficiently and to reliably determine future staffing needs (Article 6(1)(f) GDPR)
Maintain sickness records and occupational health protection programmes	· Personal identifiers · Contact details · Physical data	· To perform your employment contract (Article 6(1)(b) GDPR) · For sensitive personal data: to comply with our legal obligations in the field of employment, social security and social protection law (Article 9(2)(b) GDPR, section 26(3) German Federal Data Protection Act) · For sensitive personal data: for the purposes of preventive or occupational medicine (Article 9(2)(h) GDPR)
Manage emergency contacts and beneficiary information (i.e. Hyatt stores information on natural persons you name in this regard)	· Personal identifiers	· On the basis of our legitimate interests in being able to immediately notify the person of trust you have chosen in the event of an emergency affecting you (Article 6(1)(f) GDPR)
Taking, storing, or publishing photos of you	· Photo	· On the basis of your consent, if you decide to provide us with your consent in the individual case (Article 6(1)(a) GDPR, Section 26(2) German Federal Data Protection Act)
Investigate and respond to claims against Hyatt, its Employees, customers, guests and partners	· Personal identifiers · Contact details · Accounting data · Qualification data · Development data · Reliability data · Compliance data · Security data · Communication data · Data on agreements	· On the basis of our legitimate interests in being able to defend ourselves, our staff and our guests against claims (Article 6(1)(f) GDPR) · For sensitive personal data: if necessary to establish, exercise or defend legal claims (Article 9(2)(f) GDPR)
Conduct Employee surveys and administer Employee recognition programmes	· Personal identifiers · Contact details · Qualification data · Development data	· On the basis of our legitimate interests in being able to appraise and reward Hyatt staff (Article 6(1)(f) GDPR)
Terminate employment relationship: · Administer termination notices; and · Provide and maintain references.	· Personal identifiers · Accounting data · Contact details · Qualification data · Development data · Termination data	· To terminate your employment relationship (Article 6(1)(b) GDPR)
Protect the safety of our guests, customers, visitors, Employees, partners and property, including controlling and facilitating access to and monitoring activities: · in secured premises; and · using Hyatt computers, networks, communications and other resources.	· Personal identifiers · Contact details · Development data · Security data · Data on agreements · Communication data	· To perform your employment contract (Article 6(1)(b) GDPR) · On the basis of our legitimate interests in complying with our legal obligations in relation to ensuring a safe work place and premises, and responding to requests from police, courts and other third parties (Article 6(1)(f) GDPR), · On the basis of our legitimate interests in being able to defend our householder's right to refuse entry and to clarify the facts in individual cases if there are specific grounds for suspicion (Article 6(1)(f) GDPR)
Ensure the safety of our guests, Employees and our property and possessions using CCTV and other security tools to: · Prevent and detect crime; · Protect the health and safety of our guests and Employees; · Manage and protect Hyatt’s property and the property of Hyatt’s Employees, guests and other visitors; and · Quality assurance, to the extent permitted by applicable law.	· Personal Identifiers · Contact details · Development data · Physical data · Data on agreements · Security data · Communication data	· To perform your employment contract (Article 6(1)(b) GDPR) · On the basis of our legitimate interests in complying with our legal obligations in relation to ensuring a safe work place and premises, and responding to requests from police, courts and other third parties (Article 6(1)(f) GDPR), · On the basis of our legitimate interests in being able to defend our householder's right to refuse entry and to clarify the facts in individual cases if there are specific grounds for suspicion (Article 6(1)(f) GDPR)
Detecting crimes in cases where there is a documented reason to believe that an individual Employee has committed a crime while employed	· Personal identifiers · Development data · Security data · Communication data	· Section 26(1) sentence 2 German Federal Data Protection Act
Monitor the quality of our customer service with the help of “Secret Shopper” and “Mystery Guest” programmes	· Personal identifiers · Contact details · Development data	· To perform your employment contract (Article 6(1)(b) GDPR) · On the basis of our legitimate interests in being able to ensure and improve the quality of our customer service (Article 6(1)(f) GDPR)
Monitor internet use, communications, and actions taken on Hyatt computers to ensure an appropriate level of IT security and data protection, in particular: · Use of malware protection software to detect activities associated with computer hacking; and · Recording the screen and keystrokes of the actions of administrators when they are remotely administering computer servers. We do so in accordance with applicable laws and Hyatt’s Acceptable Use Policy, which you can find on Hyattconnect.	· Personal identifiers · Contact details · Security data · Communication data	· On the basis of your consent, if you decide to provide us with your consent in the individual case (Article 6(1)(a) GDPR, Section 26(2) German Federal Data Protection Act) · On the basis of our legitimate interests in being able to ensure the safety and security of Hyatt guests, customers, Employees, visitors, partners and property (Article 6(1)(f) GDPR)
Comply with applicable laws (e.g., health and safety laws), including judicial or administrative orders regarding individual Employees (e.g., garnishments or child support payments)	· Personal identifiers · Contact details · Qualification data · Development data · Accounting data · Reliability data · Physical data · Compliance data · Security data	· On the basis of our legitimate interests in being legally compliant (Article 6(1)(f) GDPR)
Comply with legal obligations to process personal data	· Personal identifiers · Contact details · Qualification data · Development data · Accounting data · Reliability data · Physical data · Compliance data · Security data	· To comply with our legal obligations (Article 6(1)(c) GDPR) · For sensitive personal data: to comply with our legal obligations in the field of employment, social security and social protection law (Article 9(2)(b) GDPR, section 26(3) German Federal Data Protection Act) · For sensitive personal data: if necessary to establish, exercise or defend legal claims (Article 9(2)(f) GDPR) · each in connection with the German laws applicable in the individual case, in particular: section 147, 147a Fiscal Code of Germany, section 257 Commercial Code of Germany, section 19 Act on Mandatory Working Conditions for Workers Posted Across Borders and for Workers Regularly Employed in Germany, section 17(1) sentence 1 Act Regulating a General Minimum Wage in Germany, section 16(2) German Working Hours Act, for temporary agency workers section 17c(2) German Act on Temporary Agency Work, sections 28a, 28f Fourth Book of the German Code of Social Law, section 165(1), (4) Seventh Book of the German Code of Social Law, section 117(4) Seventh Book of the German Code of Social Law, section 27(1), (2) German Maternity Protection Act, section 36 German Vocational Training Act, section 32(1), section 33(1), (2), section 39(2), section 41, section 49, section 50 German Youth Employment Law, section 1(1) sentence 6, section 12(1) sentence 4, section 17c(1) German Act on Temporary Agency Work, section 17(1) sentence 2 Act Regulating a General Minimum Wage in Germany
Retain Employees’ personal data for unresolved aspects for the above purposes after termination of employment relationship	· Personal identifiers · Contact details · Accounting data · Termination data	· To perform your employment contract (Article 6(1)(b) GDPR) · To comply with legal obligations, in particular due to retention requirements under tax or commercial law (Article 6(1)(c) GDPR) · For sensitive personal data: if necessary to establish, exercise or defend legal claims (Article 9(2)(f) GDPR)
For temporary agency workers: Collecting, storing and sharing personal data with the temporary work agency which employs the individual Employee for the following purposes: · Specifying the temporary agency workers who shall be engaged; · Assessment of qualification; · Documentation of daily working hours; and · Determination of remuneration and salary, accounting.	· Personal Identifiers (first name; last name; date of birth if there is a risk of confusion) · Qualification data · Information for employee benefits	· To comply with specific legal obligations in the context of temporary work (Article 6(1)(c) GDPR; section 1(1) sentence 6, section 12(1) sentence 4, section 17c(1) German Act on Temporary Agency Work; section 17(1) sentence 2 Act Regulating a General Minimum Wage in Germany)

Unless personal data is processed on the grounds of consent or our legitimate interests, all personal data we request from you is obligatory.

If you do not provide us with and/or allow us to process all obligatory personal data as requested, we will not be able to obtain complete information about you, thus affecting our ability to accomplish the purposes set out in this section 4 (Purposes and legal grounds of data processing). In particular, if data are processed to perform your employment contract and you do not provide us with all the data required for this purpose, we may – depending on the category of data missing – not be able to fully comply with all our obligations that we have as your Employer.

If, on the other hand, the data processing is based on your consent or on our legitimate interests, you are not obliged to provide the relevant personal data. In cases where we ask you for consent to a certain data processing activity, in particular, you will not suffer from any negative consequences if you do not give us consent. However, we will not be able to process your Personal Data in these cases, thus affecting our ability to accomplish the purposes set out in this section 4 (Purposes and legal grounds of data processing).

5. Recipients of your personal data

5.1 Introduction

In this section we would like to give you an overview of the persons to whom we may disclose your personal data to. This includes Hyatt recipients, our agents, service providers and suppliers, persons involved in business transfers, and courts and authorities. The recipients fall into two separate categories:

• controllers (the Hyatt recipients described at section 2, acquirers or potential acquirers described at section 5.4 and Courts and authorities described at section 5.5); and
• processors (the agents, service providers and suppliers described at section 3).

5.2 Hyatt recipients

In order to pursue the purposes set out above, we will disclose your:

• Personal identifiers;
• Data about nationality and residency;
• Contact details;
• Accounting data;
• Information for Employee benefits;
• Qualification data;
• Development data;
• Physical data;
• Photo;
• Reliability data;
• Compliance data;
• Data on agreements;
• Security data;
• Communication data; and/or
• Termination data

to human resources staff, direct supervisors, consultants, advisors and other appropriate persons employed by other Hyatt entities at our Hyatt locations as appropriate in each individual case. We disclose this personal data to benefit from administrative support and for group analytics, HR management and business planning purposes.

For more information on the Hyatt entities which may process your personal data (including their jurisdiction, company registration number and address), please click here.

5.3 Our agents, service providers and suppliers

Like many other international businesses, we occasionally outsource certain functions and/or the processing of certain information to third parties. Please note that when you apply online, you may be directed to the website of a third-party company that has been instructed by Hyatt to process your personal data for us.

If we outsource the processing of your personal data to third parties or provide your personal data to external service providers, we will require those third parties to protect your personal data through appropriate protection measures.

For more information about what data we disclose to agents, service providers and suppliers (including information on why we share this information and where they are located) please click here.

If you prefer a German-language version of this list, please let us know by post or email using the contact details specified in section 12 (Contact). We will then send you a version in German.

5.4 Business transfers

In the course of business development, we may buy or sell hotels and other assets. In such transactions, Employee data is usually part of the transferred assets. This means that we may transfer your personal data as an asset to the acquirer or potential acquirer in such a transaction, and their advisers. Also, in the unlikely event that we, or substantially all of our assets, are taken over or acquired by a third party, Employee data will be part of the assets that may be transferred.

5.5 Courts and authorities

We reserve the right to disclose personal data we store about you if we

• are required to do so by a court of law;
• are legally required to do so;
• are requested to do so by an authority;
• determine that it is necessary or desirable to do so in order to comply with any laws applicable to us, or
• determine that it is necessary or desirable to do so in order to protect or defend our rights or property in accordance with applicable law.

6. International transfer of personal data

6.1 Data transfers within the Hyatt world

6.1.1 Introduction

Like most international businesses, we have centralised certain aspects of our data processing and human resources administration in accordance with applicable laws in order to improve our business operations. This centralisation may result in personal data being transferred from Germany to a country outside the European Economic Area with a Hyatt location, as set forth in more detail as follows.

6.1.2 Data transfers to the US for certain Employees

In particular personal data about you will be transferred to and processed in the United States if you are employed or are a candidate for employment:

• by any Hyatt affiliate located outside the United States; or
• as an Executive Committee Member, Department Head or other key Employee at any of our properties or affiliated hospitality businesses located outside the United States in order to:
  • develop workforce and succession plans worldwide considering that only Hyatt in the USA has a complete view of long term succession needs for Hyatt properties and businesses around the world; and
  • investigate and respond to claims to the extent that senior staff are involved considering that issues in these cases typically are significantly cross-border or material enough to involve Hyatt affiliates in the US.

6.1.3 Data transfers in the context of changes of locations

If you are being considered for a position at a Hyatt location in another country, some personal data concerning you will be transferred to the country where the job opening is located.

Personal data about you may also be transferred to managers and human resources staff of Hyatt affiliates in other locations in accordance with applicable data protection law so that they may contact you with respect to an application for another position. The jurisdictions to which these data are transferred do not necessarily have laws that seek to protect your personal data.

6.1.4 Binding corporate rules

In the contexts set out above in sections 6.1.2-6.1.3 your personal data may be transferred to countries outside the European Economic Area, which do not provide a level of data protection equivalent to the one provided by the GDPR. This is true for the USA, for example.

However, if your personal data is transferred within Hyatt, it will be transferred in accordance with Hyatt’s binding corporate rules (see section 13 (Binding corporate rules) for more details), the terms and conditions of this Privacy Policy and applicable laws.

A list of Hyatt locations to which your personal data may be transferred and the countries in which these entities are located can be found by selecting the “All” option here.

6.2 Data transfers to third parties

In addition, some third-party providers to whom we transfer your personal data may be located in different locations outside the European Economic Area, some of which have a lower standard of data protection than in the European Union and Germany.

When we transfer personal data to third parties, we ensure appropriate safeguards are in place and oblige those third parties to take appropriate safeguards to protect your personal data in accordance with the terms and conditions of this Privacy Policy.

These third parties essentially fall into two groups:

• local suppliers supporting individual Hyatt locations or groups of Hyatt locations, which may operate in any of the countries with Hyatt locations; and
• centrally-procured service providers supporting Hyatt as a whole, which may be located in our major business locations, in particular the United States (where we are headquartered), Switzerland and Hong Kong.

For further information on these third parties, please see the list available in section 5.3 (Our agents, service providers, and suppliers).

7. Retention period

We will retain your personal data (including your sensitive personal data) for as long as necessary to fulfil our contractual or statutory obligations. If your personal data is no longer required to fulfil our contractual or statutory obligations, it will be deleted, unless we are required to retain your personal data for the following purposes:

• Fulfilment of statutory retention obligations, which may arise in particular from: the Social Security Code (Sozialgesetzbuch – SGB IV), the Commercial Code (Handelsgesetzbuch – HGB) and the Fiscal Code (Abgabenordnung – AO). The retention and/or documentation periods specified therein are generally six (6) to ten (10) years.
• Preservation of evidence within the framework of the statutory limitation periods. Pursuant to sections 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods may be up to thirty (30) years, with the standard limitation period being three (3) years.

If data processing is carried out in the legitimate interest of us or a third party, your personal data will be deleted as soon as this interest no longer exists, unless one of the above-mentioned exceptions applies. If data processing is carried out based on your consent, your personal data will be deleted as soon as you withdraw your consent for future processing, unless one of the above-mentioned exceptions applies.

If you would like to receive further information about our retention periods, please contact us using the contact details set out in section 12 (Contact).

8. Your rights

According to data protection laws in Germany and the European Union, you have various rights with regard to your personal data. We would like to present these to you below.

If you have any questions about your data protection rights or would like to exercise them, please contact us by post or email using the contact details specified in section 12 (Contact).

Please remember to include your full name, the title of your current (or most recent) job title, your place of employment with Hyatt and your Employee ID number to verify your identity and the personal data that we maintain about you.

If we have reasonable doubts concerning your identity, we may ask for additional documentation as necessary to verify your identity, for example a copy of your ID card or passport. In such case please redact any information in this copy to evidence your identity which we do not need to identify you, such as your ID number, photo, personal characteristics and nationality. We regularly only need the following information to verify your identity: your name, address, date of birth and the expiry date of the document.

8.1 Right of access (Article 15 GDPR)

With few restrictions, you are entitled to obtain information about the personal data we manage by sending us a written request by post or email to the addresses specified below in section 12 (Contact).

We will then confirm to you whether we process personal data relating to you. If this is the case, you have a right of access to this data and to the following information, among others: (i) the purposes of the processing; (ii) the categories of the personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) the storage period or the criteria used to determine that period; (v) the existence of certain data subject rights under data protection law; (vi) the existence of a right to lodge a complaint with a supervisory authority; (vii) where the personal data have not been collected from you, any available information as to their source; and (viii) information about the existence of automated decision-making, including profiling.

You also have a right to receive a copy of the personal data we process about you. However, we may not disclose any data you are not entitled to receive (e.g. data that reveals information about another person). Please note that in such cases we may not provide you with a full copy or we may have to redact it.

If you make more than one request in quick succession, we may respond to your subsequent request by referring to our earlier response and identifying only those items that have changed materially.

8.2 Right to rectification (Article 16 GDPR)

You have the right to obtain from us the rectification of any inaccurate personal data concerning you and to have any incomplete personal data concerning you completed. This applies regardless of the legal ground on which we process your personal data.

If we agree that the information is incorrect we will delete or correct the information. If we do not agree that the information is incorrect, we will tell you that we do not agree and record the fact that you consider that information to be incorrect in the relevant file(s).

8.3 Right to erasure (Article 17 GDPR)

You may request from us the erasure of your data without undue delay if one or more of the following cases apply:

• the data are – regardless of the legal ground on which we process them – no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you have consented to the processing of your data and now withdraw such consent pursuant to Article 6(1)(a) GDPR, and there is no other legal ground for processing the relevant personal data;
• you object to the processing of your personal data pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
• the data are processed unlawfully; or
• the data have to be erased for compliance with a legal obligation under European Union or EU Member State law to which we are subject.

8.4 Right to restriction of processing (Article 18 GDPR)

Regardless of the legal ground on which we process your personal data, you may request from us restriction of processing if:

• you contest the accuracy of the data;
• the processing is unlawful and you request, instead of erasure of the relevant personal data, the restriction of the use of such personal data;
• we no longer need the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims, or
• you have objected to the processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override yours.

As a result of the restriction of processing, we may only process your personal data, with the exception of storage, as follows:

• with your consent;
• for the establishment, exercise or defence of legal claims;
• for the protection of the rights of another natural or legal person; or
• for reasons of important public interest of the European Union or of a Member State.

8.5 Right to withdraw your consent

Where we process your personal data based on your consent, you may withdraw your consent at any time, without giving any reason, by contacting us by using the contact details specified in section 12 (Contact). Please note that the withdrawal will only become effective after the date of request. Data processing performed prior to the withdrawal will not be affected.

8.6 Right to lodge a complaint with a data protection authority

You have the right to lodge a complaint with a competent supervisory authority, in particular with the supervisory authority of Rhineland-Palatinate (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz) or a supervisory authority in the federal state (Bundesland) of your place of work. Of course, you are also free to contact any data protection authority within Germany or the European Union, for example the one competent where you reside.

A list of the contact details of the data protection authorities of the federal states (Bundesländer) can be found here.

9. Right to object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you where we process such data on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR.

If you object to such processing, we will no longer process the personal data concerned, unless:

• we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
• the processing serves the purpose of establishing, exercising or defending legal claims.

10. Security of your personal data

The personal data we collect from you is stored by us and/or our service providers in databases which are protected by a combination of physical and electronic access controls, firewall technology and other adequate security measures. However, even with these types of security measures, the loss, misuse or alteration of personal data cannot be completely excluded. We will notify you in accordance with the GDPR and the German Federal Data Protection Act of any loss, misuse or alteration of personal data that affects you. This will ensure that you can take the necessary steps to protect your rights.

11. Amendments to this Privacy Policy

Changes in our business processes may make it necessary to adapt the way we process your personal data. Therefore, we reserve the right to update or amend this Privacy Policy at any time. When updating or amending this Privacy Policy, we will take appropriate steps to notify you of the updates or amendments. In order to inform you of the date of any amendments, this Privacy Policy includes an effective date, which can be found at the end of this Privacy Policy.

12. Contact

If you have any questions or other concerns about this Privacy Policy, the way we process your personal data, or if you wish to exercise your data protection rights (as described above in section 8 (Your rights) and section 9 (Right to object (Article 21 GDPR)), please contact us as follows:

• Current Employees may, at their option, contact their line manager at their hotel or place of employment, the human resources manager, or Hyatt’s Data Protection Officer at privacy@hyatt.com. For complaints, further escalation at the Employee’s option can be made to the relevant Hotel General Manager and finally to Hyatt’s Chief Privacy Officer by sending an email to privacy@hyatt.com.
• Applicants and former Employees should contact Hyatt’s Data Protection Officer at privacy@hyatt.com.

Please note that all requests for access to your personal data must be made in writing by post or email. We will respond to your requests by post, email or such other means of communication as we deem appropriate.

13. Binding corporate rules and Global Privacy Principles

This Privacy Policy, in itself, does not create any contractual rights.

However, Hyatt has created a set of “global privacy principles” which set out how Hyatt aims to handles personal information. All entities within the Hyatt group are required to comply, and to procure their employees comply, with the requirements of these principles, which are available on our website at [Insert link to Hyatt’s updated BCRs in both English & German].

In addition, in some countries (in particular in the EU and UK), Hyatt has incorporated the global privacy principles into a set of binding standards and policies (known as “binding corporate rules”) and had them approved by a number of national data protection authorities. As a result, you may be able to have your data protection rights enforced by an authority or a court based on these binding corporate rules, in one of those jurisdictions where you are habitually resident, you work, a relevant Hyatt entity is established or you consider an infringement of your rights has taken place.

Effective since: February 2024

In the event of any inconsistencies between the German version of this Privacy Policy and a version of this Privacy Policy in another language, the German version shall prevail (to the extent permitted by law).