Privacy Policy
This Privacy Policy describes how the GRAM Group collects and processes personal data concerning guests at our hotels and restaurants, members of our loyalty programme, the GRAM Social Club, and visitors to our websites. The term personal data refers to any information relating to an identified or identifiable natural person.
The GRAM Group AB, company registration number 559118-3073, has overarching responsibility for the processing of personal data that takes place within the GRAM Group.
Together with the GRAM Group AB, each hotel and/or restaurant within the GRAM Group – consisting of Hotel Skansen i Båstad, Torekov Hotell, Hotel Riviera Strand and Huset på Stranden – determines the purposes and means of the processing of personal data within the scope of its individual operations.
Hence, as a user of Hotell Riviera Strand AB’s (company reg. no. 556977-5603) services, the GRAM Group AB and Hotell Riviera Strand AB are the joint controllers of personal data concerning you.
Any further reference to the GRAM Group, “we”, “our” or “us” in this document should be understood to mean the group company or companies that are the controller(s) of the processing activity in question.
The GRAM Group processes personal data for purposes including the administration and processing of bookings and to adapt, provide and develop our services, so that your user experience is optimised and to personalise communication with you.
Your privacy is important to us and we work hard to ensure that we comply with applicable data protection regulation and legislation and to safeguard your rights. Please read this Privacy Policy carefully so that you understand the purposes for and means by which we process personal data concerning you and your rights as the data subject. If you have any questions regarding our processing of personal data concerning you, or about this Privacy Policy, if you wish to exercise your rights as the data subject or need to contact us about our processing of your personal data for some other reason, please do not hesitate to get in touch (see contact details at the end of this document).
How do we collect personal data concerning you?
The GRAM Group only collects and processes personal data to the extent it is permitted pursuant to applicable data protection regulation and legislation. Personal data may be collected when you book one of our services, provide information on our websites or during your stay with us. Personal data are either collected directly from you or from a company, organisation or individual involved in administering our provision of services to you. We also collect personal data through cookies, tags, tracking pixels and the GRAM Social Club’s membership services. From time to time, we may receive personal data concerning you from other group companies and our partners.
It is important to the GRAM Group that your personal data are accurate and up to date; to that end, we may import personal data concerning you from other sources such as public registers.
What types of personal data do we collect?
We only collect personal data of relevance to the purposes described in this Privacy Policy. Personal data we may collect include your name, address, telephone number, email address, IP address and cookies, data to facilitate your use of our websites (e.g. language preference and user history), data on membership of the GRAM Social Club, data on travel companions, booking preferences, payments, employer, emergency contacts, specific dietary requirements, accessibility adaptions due to disability, as well as other data you share when you contact us.
Why do we process personal data concerning you?
The GRAM Group collects personal data for various purposes. The personal data we collect and how we do so depends on which service you use.
The GRAM Group uses personal data to:
- administer, provide, develop and maintain our services, including to increase the benefit and improve your experience of our services;
- process your bookings and orders for services;
- contact you in various ways, such as by text message, other mobile applications or email, to advise you of your booking status or provide other information about your booking before during and after your stay;
- diagnose faults, optimise technologies and contact you should problems arise with a booking or the performance of a service;
- customise communication with you, such as by creating a profile for you and sending you offers that suit your profile as a user of our services;
- analyse statistics and user behaviour; and
- inform about and market our services.
On what legal grounds do we process personal data concerning you?
The GRAM Group processes personal data on various legal grounds as follows:
- The legal grounds for processing personal data to administer and process a booking you have made on your own behalf, and to provide our services in accordance with that booking, is that processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
- The legal grounds for processing your personal data to administer and process a booking made by someone else, and to provide you with our services in accordance with that booking, is that processing is necessary for the performance of the contract entered into between us and the company, organisation or individual making the booking in question. If you make a booking on behalf of someone else, we will process your personal data on the legal grounds of our legitimate interest in meeting our contractual obligations to the company, organisation or individual to whom the booking relates.
- The legal grounds for processing your personal data to diagnose faults, optimise our technology, analyse statistics and user behaviour and customise communication with you is our legitimate interest in providing our customers with the best possible service and in optimising our communication and services.
- The legal grounds for processing your personal data to send offers and information and to market our services is our legitimate interest in marketing, promoting and informing about our business and services.
- Personal data concerning allergies or disabilities will only be processed with your explicit consent. However, our point of departure is that any such data should be anonymised to the greatest possible extent without endangering the safety of the individual. Furthermore, the data will be erased immediately after your visit when we no longer need to process the data.
Sending information
When you make a booking with us, we use personal data concerning you to send you a booking confirmation, important information about your upcoming stay with us and offers related to your stay. Any such information will be sent to the email address you supply when making a booking.
After your stay, we will send you a customer survey in which we ask you to rate your stay. This is to help us improve our services. We may also send an email thanking you for your visit.
Before and during your stay, we may also send you emails/text messages to the email address and/or mobile number you supplied when making your booking. These may, for example, contain information on available spa times, important information prior to your stay or reminders about bookings in our restaurants.
Receipt of personal data in emails
This paragraph is relevant to you if you have cause to send emails to an employee or other representative of the GRAM Group, whether on your own behalf or as the representative of your company. We collect personal data in the form of your name, email address and any other data you choose to share in your email to us. When we receive your email, we will make an assessment of whether we have any reason and legal grounds on which to store or continue processing the personal data in question. If we determine that we do, we will continue to process the personal data in accordance with this Privacy Policy. Otherwise, we will erase the personal data included in your email.
Storage and transfer of personal data
The GRAM Group stores personal data in compliance with this Privacy Policy and applicable regulation and legislation. Personal data are stored when a booking is made and during the subsequent stay with us, as well as afterwards to the extent necessary for the GRAM Group to meet its legal obligations. The GRAM Group also stores personal data to the necessary extent to establish, exercise or defend legal claims, or to detect or prevent fraud or other security issues.
After your stay, the GRAM Group will retain personal data concerning you in order to send you offers and information. You have the right, at any time and without charge, to request that the GRAM Group cease processing personal data concerning you for marketing purposes.
Personal data may be transferred between companies within the GRAM Group to be processed for the purposes stated in this Privacy Policy. The GRAM Group employs subcontractors, including outsourcing computer operations, in order to optimise our services. Personal data may therefore be transferred to these subcontractors. The GRAM Group may employ processers who process personal data concerning you only on our behalf and strictly according to our instructions. Personal data concerning you will only be processed in this manner once a data processing agreement has been entered into between the GRAM Group and the processor, so that we can ensure a high level of protection.
The GRAM Group may also disclose personal data to the police or another public authority if required to do so by law or a decision by a public authority. In certain cases, the GRAM Group may be required to disclose information to other parties involved in legal proceedings, mergers and acquisitions, audits or similar activities.
As a general rule, the GRAM Group does not transfer personal data to countries outside the EU/EEA (third countries). However, if it is necessary for us to do so to fulfil our contractual obligations to you – for example, if we have a subcontractor in a third country – we may transfer data to a third country even if according to the European Commission that country does not ensure an adequate level of protection for personal data. In any such case, the GRAM Group will take necessary measures to ensure a high level of protection for your personal data and compliance with EU/EEA regulations.
Personal data security and protection
The GRAM Group takes appropriate technical and organisational measures on an ongoing basis in accordance with the principle of “data protection by design and by default”. The GRAM Group continuously evaluates the risks associated with its processing of personal data and implements appropriate security measures to minimise those risks. Moreover, we limit access to personal data to staff that require access for the purposes describe in this Privacy Policy.
Our staff undergo continuous data protection training. If you have any questions about how we apply the General Data Protection Regulation (GDPR), please contact us at privacy@gramgroup.se, writing “Personal data” on the subject line.
External websites and applications
Websites operated by the GRAM Group may include links to other websites and/or applications that are not under the control of the GRAM Group. This Privacy Policy applies solely to your use of the GRAM Group’s websites. The GRAM Group is not responsible for the content of linked applications/websites nor for the processing of personal data that may be performed by the owner or operator of a linked application/website.
Your right to access, rectify, erase and restrict the processing of your personal data
Please inform the GRAM Group of any change to your personal data by emailing us at privacy@gramgroup.se, writing “Personal data” on the subject line.
At your request, or when we discover it ourselves, the GRAM Group will rectify or erase inaccurate or incomplete personal data. You also have the right to request confirmation from us of the personal data concerning you we are processing and to receive a copy of that data free of charge.
Under certain circumstances (see Article 18 of GDPR), you have the right to request that the GRAM Group restrict the processing of personal data concerning you, or to have it erased. Pursuant to Article 20 of GDPR, under certain circumstances you also have the right to data portability, meaning that you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
If the GRAM Group process personal data based on your consent, you have the right to withdraw your consent at any time by notifying the GRAM Group in writing. This does not affect the lawfulness of processing before consent was withdrawn. It should also be noted that withdrawing consent does not affect processing based on other legal grounds, such as providing a service that you have ordered.
As noted above, you have the right to request that the GRAM Group cease processing personal data concerning you for marketing purposes at any time and free of charge. To exercise this right, please contact us at privacy@gramgroup.se, writing “Personal data” on the subject line. You can also unsubscribe from our mailing list for offers and information by clicking on the unsubscribe link in the footer of each marketing email.
Should you have any complaints about our processing of personal data concerning you, please contact us in the first instance and we will do our very best to accommodate your views. Your privacy is highly important to us and we always strive to process your personal data in the best and most secure manner possible. If you believe that we are falling short of this ambition, you have the right to lodge a complaint about our processing of your personal data with the supervisory authority, the Swedish Authority for Privacy Protection (IMY) at www.imy.se.
Contact
If you wish to exercise your rights as stated above, or if you have any questions about the GRAM Group’s processing of personal data and compliance with applicable regulation and legislation, please contact us at privacy@gramgroup.se, writing “Personal data” on the subject line. Alternatively, you can write to us at the address below:
GRAM Group AB
Attn: Personal data
Box 1073
269 21 Båstad