Privacy Policy
Orient Express Management Company, located at 82, rue Henri Farman, 92445 ISSY-LES-MOULINEAUX (hereinafter “Orient Express”, “we” or “us”), processes, as data controller, the personal data of the users (the “Web User”) of its website (https://www.orient-express.com/ – hereinafter the “Website”), of the travel professionals who contact us or make a reservation on behalf of their clients (the “Agents”), as well as the individuals for whom a booking of an itinerary on board of our trains, or of our sailing ship, or of a stay in an Orient Express hotel is made (hereinafter the “Guests”) (hereinafter together “you”).
In order to provide you with transparent information on the processing activities carried out by Orient Express within this context and on your rights relating thereto, we have written this privacy policy (hereinafter the “Policy”).
1. Orient express ten principles for protecting your personal data
- we really need. If the result can be achieved with less personal data, then we make sure we use the minimum data required.
- Transparency: We inform people about the way we use their personal data.
- We facilitate the exercise of the people’s rights: access to their personal data, rectification and erasure of their personal data and the right to object to the use of their personal data
- Storage limitation: We retain personal data for a limited period.
- We ensure the security of personal data, i.e. its integrity and confidentiality.
- If a third partyuses personal data, we make sure it has the capacity to protect that personal data.
- If personal data is transferredoutside European Union, we ensure this transfer is covered by appropriate legal tools.
- If personal data is compromised (lost, stolen, damaged, unavailable…), we notify such breaches to the respective country’s responsible authority and to the person concerned, if the breachis likely to cause a high-risk in respect of the rights and freedoms of this person.
For any questions regarding these ten principles, please contact us at the coordinates indicated in article 7 “Your rights”.
2. What personal data is collected?
As part of the processing activites described below, we collect the following personal data:
- For Web Users:
- Title,
- First name and last name,
- Email address,
- Phone number,
- Country,
- Guest type (e.g. individual, travel professional, group),
- Navigation data,
- Where applicable, any information that you would spontaneously communicate us when contacting us.
- For Agents: the collect of your personal data listed below may be carried out through our partner Accor S.A.
- First name and last name,
- Email address,
- Phone number,
- Professional loyalty program membership code, if applicable,
- IATA number.
- For Guests: the collect of your personal data listed below may be carried out through different channels:
- Either directly from you when you make a booking on our Website, or
- Either indirectly via the individual booking the stay or itinerary for you, or via our partner Accor S.A when your booking is made through its website all.com.
- Title,
- First name and last name,
- Date of birth,
- Nationality,
- Phone number,
- Where applicable, a copy of a piece of identification,
- The Accor ALL loyalty program number, or of another partner program, and information about your activities within this program,
- Your credit card number (for transaction and reservation purposes),
- Email address,
- Postal address (ZIP code, address, city, country),
- Information related to the booking,
- Information related to your children (first name, date of birth, age),
- Any relevant comments related to your booking that you would spontaneously communicate to us (e.g., smoker or not, type of bedding, print media read, cultural interests, sports, food and drink preferences, etc.),
- You questions/comments during or following your stay/itinerary.
The information collected in relation to persons under 16 years of age is limited to their name, nationality and date of birth, which can only be supplied to us by an adult. We would be grateful if you could ensure that your children do not send us any personal data without your consent (particularly via the Internet). If such data is sent, you can contact our data protection officer (see clause “Your rights” below) to arrange for this information to be deleted.
3. For what purposes is your data collected and how long do we retain it?
To simplify the presentation of the data processing’s modalities, we present in the table below the reasons why we process your personal data (purposes), our justifications for the processing (legal bases), as well as the period during which we use them (retention periods).
Purposes | Legal basis | Retention periods |
Management of your booking (management of the booking, its payment, personalization of your stay, etc.) | Processing necessary to perform an agreement with you. | For a duration of 3 years from your last contact with us. |
Taking into account the Guest’s preferences and special requirements where applicable (e.g., specific diet requirements) | Processing based on your consent. | |
Management of your stay (management of room access, follow-up of food and beverages) | Processing necessary to perform an agreement with you. | For the duration of your stay. |
Internal management of lists of customers having behaved inappropriately during their stay /itinerary (aggressive and anti-social behavior, non-compliance with safety regulations, theft, damage and vandalism or payment incidents). | Processing necessary to our legitimate interest in managing any adverse event. | Up to 122 days from the recording of an event. |
Using services to search for persons staying in our hotels in the event of serious events affecting the hotel in question (natural disasters, terrorist attacks, etc.). | Processing necessary to protect the vital interests of the Guests. | For the duration of the event. |
Compiling statistics and performance measures | Processing necessary to our legitimate interest in improving our services. | For the duration necessary to achieve the objective targeted by the statistics. |
Management of our satisfactory surveys with our clients | For a duration of 3 years from the date you responded to the survey. | |
Management of your contact requests (via our online form , those of our partners, or via our call center) | Processing necessary to our legitimate interest in responding to your demands
|
For the duration necessary to respond to your demands.
Where applicable, if your call has been recorded, the data related to it will be retained until you object to its retention, or for a duration of 3 months from the date of the call. |
Sending our newsletter | Processing based on your consent. | Your data is retained until you withdraw your consent to the reception of our newsletter, or 3 years from your last contact with us. |
Improve the relevance of targeted advertisements displayed to you online
|
Your data will not be retained for longer than 25 months. | |
Management of your navigation on the Website through the use of functional and technical cookies | Processing necessary to our legitimate interest in providing a functioning Website. | Your data will not be retained for longer than 25 months. |
Securing payment operations by determining the level of fraud risk associated with each transaction | Processing necessary to our legitimate interest in managing our activities and to prevent fraud risk. | 90 days for analysis and controls and then 2 years in a separated database used for improving the system.
In case of registration in the incident file, 2 years from recording or until regularization of the situation if earlier. |
Managing our legal and accounting obligations | Processing necessary to comply with our legal obligation of data storing. | For the compliant duration with our legal obligations or the as stipulated by law. |
Litigation management | Processing necessary to our legitimate interest in establishing evidence in the event of litigation. | We retain your data for the applicable statutory limitation periods. |
4. Condition of third-party access to your personal data
Your personal data may be shared with internal and external recipients under the following conditions:
- We share your data with a limited number of authorized staff members and departments within Orient Express, and in particular the business team, marketing team, our customer support as well as our fraud and compliance department.
- With service providers and partners: your personal data may be transmitted to third parties, in particular to hotels, hospitality trains operated under the Orient Express brands, as well as to our IT service provider in charge of the Website’s hosting, our payment service provider and our call center. Your data may also be transmitted to our partner Accor S.A.
- Local authorities:we may also disclose your information to local authorities, if required by law or in the course of an investigation and in accordance with local regulations.
5. Protection of your personal data during international transfers
For the purposes indicated in Article 3 of this Policy, we may transfer your personal data to internal or external recipients who may be located in countries offering different levels of personal data protection.
Therefore, Orient Express implements appropriate measures to secure the transfer of your personal data to an external recipient located in a country offering a different level of protection from that offered in the country where the personal data is collected.
Data flows to countries that do not offer an equivalent personal data protection are subject to the standard contractual clauses defined by the European Commission. If necessary, we will also implement additional safeguards to these transfers in order to ensure the effective application of the standard contractual clauses.
You may ask more information on the framing of the international transfers we may perform by sending an email at the address specified in Article 7 “YOUR RIGHTS”.
6. Data security
Orient Express takes appropriate technical and organizational measures, in accordance with applicable legal provisions (in particular article 32 of the GDPR), to protect your personal data against destruction, loss or alteration, misuse and unauthorized access, modification or disclosure, whether such actions are unlawful or accidental. To this end, we have implemented technical measures (such as firewalls) and organizational measures (such as a login/password system, physical protection, etc.) to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services.
7. Your rights
You have the right to obtain information and access to your personal data collected by Orient Express, subject to the applicable legal provisions.
You also have the right to have your data rectified, erased or have its processing restricted. Furthermore you have the right to data portability and to issue instructions on how your data is to be processed after your death (hopefully as late as possible!). You can also object to the processing of your personal data.
If you wish to exercise any of your rights, please contact the Orient Express data protection officer at the following address : [email protected].
For the purposes of confidentiality and personal data protection, we will need to check your identity in order to respond to your request. In case of reasonable doubts concerning your identity you may be asked to include a copy of an official piece of identification, such as an ID card or passport, along with your request. A black and white copy of the relevant page of your identity document is sufficient.
All requests will receive a response as swiftly as possible and in compliance with applicable law.
You also have the right to lodge a complaint with a data protection authority.