Privacy Policy

This document is to supply information to Sand and Sea, Inc. dba and hereinafter “Shore Hotel” Guests, Employees and Vendors about the processing of Personal Data by Shore Hotel to provide transparency and accountability required under the GDPR. A separate information document clause has also been drafted for Shore Hotel Guests, Employees and Vendors as services are used by opting to stay with us for their leisure or business purpose.

It is hoped that this document will focus on questions that Shore Hotel Guests, Employees and Vendors may have when considering the GDPR and the obligations of Shore Hotel as a service provider under this Regulation. This document will provide information about how Shore Hotel operates as applicable under this Regulation and explain the roles of Shore Hotel Guests, Employees and Vendors with respect to the services provided to and by Shore Hotel.

This document can be used as a point of reference for Shore Hotel Guests, Employees and Vendors and for Internal Departments as a source of information to respond to inquiries from Guests.

What is the GDPR?

The EU General Data Protection Regulation (GDPR) applies from 25 May 2018.

The GDPR represents an overhaul of existing of a 2016 European Union (“EU”) data protection law, building on existing privacy principles and applies to organizations which sell goods and services to EU citizens, and covers how personal information is to be processed, used, stored and exchanged when EU personal information is exchanged. It serves to provide certain protections to EU citizens over their personal data/information, how they are stored, used and processed.

The GDPR applies to all types of Personal Data that Shore Hotel may process related to covered EU citizens. For services supplied to but not limited to, Guests, Vendors, Sales Groups and Clients and B2B, this would include processing of Guest Personal Data and to a limited extent Personal Data of employees (from EU if any) of Shore Hotel – e.g. information that Shore may collect about a Guest’s name, Email Address, Date of Birth, Religion, ID, Passport, Nationality, Website Location, IP Address, Website Cookies. Any personally identifiable means will be considered covered “Personal Data” for GDPR purposes.

Shore Hotel has put in place a practice to address the requirements that GDPR imposes on Shore Hotel, both as a Data Controller (the entity that determines the purposes and means of processing of Personal Data) and as a Data Processor (where Shore Hotel is processing Personal Data), and as a business that collect information from covered EU citizens.

Shore Hotels’ GDPR Program
Inquiries about privacy matters and appointment of a Data Privacy Officer (“DPO”)

GDPR requires the appointment of a DPO in a limited number of cases. Shore Hotel’s Director of IT, in his or her business capacity, will serve as the primary and official DPO regarding all GDPR requests and processes for the hotel operations.

The DPO’s contact information as of the date of this policy is as follows:
Luong Cun, Director of IT, for Shore Hotel, Ocean View Hotel and Santa Monica Motel-

Email:; business phone: (310) 656-8495.

Shore Hotel has a structure to address privacy matters. Shore Hotel has initiated a formal GDPR program to oversee and coordinate GDPR related covered data-related activities across all functions and business units, including where Shore Hotel acts as a Data Controller and Processor.

If Shore Hotel acts as Data Processor, we will provide the following information to customers about the processing of personal data for the purposes of transparency. This information is intended to assist Shore Hotel Guests, Employees, Vendors, Sales Groups and Clients in understanding how the services process personal data and enable them to demonstrate compliance with obligations they may have under the GDPR. This information will include the following:

1. Information about how the hotel’s service units process Guest Personal Data 2. Registering/Storing of personal data on systems
3. Description about how the hotel services comply with GDPR privacy principles 4. General security measures that are in place

Under GDPR, Shore Hotel is positioned as a Data Controller of Guest Personal Data with our Guests and acting as Data Processor upon the instructions of our Guests for inquires or concierge type services such as taking and making reservations for Spas, Dinner, Tours, Taxi or Limo services, tickets to events. The GDPR does not require a separate data processing agreement to be entered into between the parties. The requirement under GDPR is that processing will be governed by contract and the contract will set out the following:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;

  • the type of personal data and categories of data subject;

  • obligations and rights of the Data Controller. Contractual Amendments to services agreements

For any further clarifications or amendments that may be required to services agreements to cover the GDPR requirements, please contact our designated Data Privacy Officer (“DPO”). Considering most of the businesses Shore Hotel works with and the services provided by Shore Hotel, the Shore Hotel’s department leaders should reach out to their Account Representatives to obtain addendums as needed to comply with the GDPR. Additionally, any potential contracts to be signed into; shall be reviewed by all parties including their respective DPO and legal counsel prior to signing; to ensure GDPR is clearly complied with in such contract(s).

In order for Shore Hotel, Guests and Vendors to comply with the specific requirements under the GDPR, Shore Hotel will offer standard processing clauses that meet the requirements of Article 28 of the GDPR.

Written Instructions of Shore Hotel’s Guest

The instructions of the Data Controller are as set out in the products/services agreement and/or provided by the Data Controller through the activation or configuration of a service. Additional instructions from Shore Hotel are usually raised through a change request or other contractually agreed process, insofar as adjustments are required to functionality or system architecture in order to meet the Guest or Vendor specific requirements. As well, Registration Cards and Confirmations Letters will summarize GDPR.

Product and Service Transparency – Detailed Service Description

To assist our Guests, Employees and Vendors in meeting obligations under GDPR, Shore Hotel has or will be preparing detailed information to describe the processing of Personal Data through information which will contain an overview of Shore Hotel services and products to assist them to demonstrate compliance with obligations under the GDPR or other data protection legislation.

The Products and Services Transparency Reports will be prepared for the following Shore Hotel Products and Services:

• Delphi – A cloud-based sales and catering solution to make reservation and scheduling arrangements to use our meeting spaces.

 Oracle Opera PMS– An on-premise based solution that enables employees to Check-In and Check-Out guests as they stay in our guest rooms.

 Oracle Micros POS– An on-premise based solution that enables employees to take food and beverage orders and process payment from guests regarding Food & Beverages purchases.

 Zingle- A cloud-based solution for Guests Services to communicate with guests regarding their needs during their stay with the hotel.

 Office 365– A cloud-based solution that enables employees to communicate with guests and vendors regarding products and services.

 Expedia,, Hotel Tonight, Priceline, Agoda, C Trip, Hotwire, Excite, Travelocity, Groupon, Travel Zoo– Are external Vendor based of companies that take and make reservations on behalf of Guests to book stays at the Shore Hotel.

 Sabre/Synxis– A cloud-based call center solution for Guests or potential guests to make reservations or booking of room(s).

 IDeaS– A cloud-based solution that enables employees to use for forecasting rates and rooms availabilities.

 Merchant Link/Shift 4– A cloud based external credit card processing solution that enables the hotel to process credit cards of Guests securely between the Shore Hotel’s property management system and the guest’s banking system.

 Clarabridge– A cloud-based solution for employees to use to review surveys taken by guests so that the hotel can improve upon its products and services.

 Starline Tours, B&W Limousine Services, tickets, flowers, babysitting, restaurant reservations, reservations for other hotels such as vegas or cruise to Catalina island, universal studios– Are vendor based of companies used by the concierge team to make and book reservations on behalf of guests.

 Chargerback– A web based external solution that enables employees and Guests to use to retrieve lost and found items that they may have left behind during/after their stay.

 FedEx, UPS, USPS– A solution that enables employees to use to ship lost and found items back to the Guests after payment is made from the Guest through Chargerback.

 Ceridian– A cloud-based solution that enables employees to review Resumes or CVs from any individual looking to seek employment at the Shore Hotel.

 MS-Shift– A cloud-based external solution that enables employees to review, store info regarding incident reports, property damage and other general liability reporting.

 Shore Hotel - Shorely Sands Stuffed Starfish Animal – Stuffed animal in guest rooms. Guests are welcome to purchase. EU Guests who opt to purchase and pay for the product through their room charge or with cash.

 Shore Hotel Towels- Shore Hotel Towels (not Pool Towels). EU Guests who opt to purchase and pay for the product through their room charge or with cash.

 Shore Hotel Bicycle Rental- Shore Hotel Bicycles are for any hotel guests to rent for use during their stay. A waiver is collected from the guest. No information other room number, 3hr usage time is noted by the Front Desk.

 Doorma Kaba/VingCard- In-Room key card access. No guest information is in the cards. Only date, duration of access and room number are programmed into the cards.

 HotSOS Housekeeping, formerly REX - HotSOS Housekeeping is a cloud-based solution that automates housekeeping daily operation.

 HotSOS Mild – A Lite version of HotSOS. For staff to use a lite version ticketing system to assist and respond to guests needs and preferences.

 HotSOS - A cloud-based, service optimization enterprise solution. For staff to use as a full version ticketing system to assist and respond to guests needs and preferences.

 Assured ID/TTI Services- Device used to check for potential fraud of IDs cards or passports.

 Verifone/Ingencio- Device used to process all types of credit cards upon check-in/check-out

 AAA Parking- An external solution vendor for parking valet services.

 Amano McGann- An external solution vendor that AAA Parking vendor use to handle processing of Entry and Exiting of vehicles including payment for public or guest parking services.

 Concierge- An internal service the hotel offers in scheduling and arrangements for guests regarding event ticket reservations and purchases, booking of restaurants or dinner, tours, rentals, spa- manicure/pedicure, flower purchases and other external services on behalf of a guest.

 Mitel/Oaisys/EOS/CNS/CallAccounting- External vendors that employees use to record calls for quality and training purposes. Calls in guest rooms are not recorded. Customers who call into the hotel’s main phone number can expect to be recorded as well as internal extensions and employee lines. Shore Hotel reserves the right to record calls pertaining to quality and training assurance.

 Wanaport- An external vendor solution vendor providing support services to on-premise WiFi Support for all guests and guest rooms. The Internet splash page ask for guest name and room number in order to use such service. Terms of use is located and available on the splash page. Guest user must acknowledge terms of use on the splash page in order to proceed to use internet.

 Business Center- A solution for Guests to use as an alternative electronic means to check email, make reservations or tours, research, print flight details or other means as they wish. Terms of use is located at the business center; including notification for a guest to Shutdown or Reboot the business center computer to wipe all data upon use and after use of the business center computers.

Each of the Product Transparency Items will contain the following information:

• Description of the purpose of the processing of Guest Personal Data by Shore Hotel

• Data Mapping/Flows to illustrate where and how Guest Personal Data is processed, accessed, stored, maintained, and data is transferred to vendors and/or other third parties;

• Description of how Shore Hotel enables compliance with relevant privacy principles including:

o Data maintenance, storage, retention and deletion capabilities
o Security Measures (including relevant certifications) to provide adequate protection to Guest

Personal Data
o Purpose limitation, data minimization and accuracy

EU Citizen’s Rights- Data Subject Rights:

A common request from guests or vendors is to understand how products or services can be used to address Data Subjects Rights. Shore Hotel as the Data Controller will be responsible for addressing the rights of Data Subjects. Shore Hotel and its employees will provide assistance to address the rights of data Subjects, either by explaining the functionality of the services, providing self-service tools or providing assistance to address Data Subjects rights. Data Subjects is another word to describe an identifiable EU citizen/person who has provided identifiable personal data.

Right to Information  an individual must be provided with certain information where Personal Data is collected from the individual or where Personal Data is not collected from the individual, the information must be provided within a reasonable period of obtaining the Personal Data.

The Data Controller will need to provide this information to the individual when the information is collected or ensure that if others are collecting the information on behalf of the Data Controller provide the relevant information to the individual through the use of privacy notice or other means of communicating the information such as informing the individual during the check-in and check-out process with reg cards and / or confirmation letters.

Right to Object  an individual has a right to object to processing of Personal Data if it is based on Exhibit A Section (e) or (f); namely (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or (f) processing is necessary for the purposes of legitimate interests purposed by the controller;

Whether the Right to Object exists for a Data Subject will depend on the legal grounds for the processing of the Personal Data. Where the processing of Personal Data is required for the performance of a contract to which the individual is subject the individual would not have a right to object to the processing. E.g. if personal data is being processed to provide make a booking of a guest or meeting room or banquet space such as for weddings, to perform the contract and make the booking the personal data is required. It can also be retained by the Data Controller as long as required to protect the Data Controllers interests, e.g. to cover a limitation period for claims. Where the Legal grounds for processing is consent or legitimate business interest – the Data Subject may have a ground to object. Shore Hotel and its B2B can comply with this right through the use of the relevant services, namely by deleting the relevant personal data.

Right to Access - A Data Subject shall have a right to obtain from the Data Controller confirmation of how the Personal Data is being processed concerning him/her and where this is the case access to the following information, and other ways the personal data is used:

• Purpose of the processing
• Categories or sequences of Personal Data processed
• Recipients or categories of recipients
• Retention period of Personal Data
• Information about exercising of rights under Data Protection legislation

Shore Hotel and its employees will be able to use the services to provide a Data Subject with access to the requested information under a right to access request.

Right to rectification - A Data Subject has a right to rectify inaccurate Personal Data.
Personal Data can be rectified through use of the services or through direct request to Shore Hotel employees to make corrections as needed.

Right to Data Portability - The right to data portability is where the processing has been based on the Legal Ground of Consent or Performance of a Contract Exhibit A Section (a) and (b).
Shore Hotel can provide a service to supply information in a structured, machine-readable format to an individual resident of the EU if requested.

Right to Erasure/Deletion of Personal Information - Data Subject shall be able to obtain erasure of Personal Data from Data Controller in particular circumstances, including:

• Personal Data no longer required for the services • Automated decision making;
• Unlawful processing;
 Or when other lawful requests are made;

Right to Restrict Processing

Shore Hotel will be transparent with any citizens of the EU countries regarding all aspects of use related to their Personal Data. As such, Shore Hotel treats ALL Employees, Vendors and Guest Data; no matter EU or not; including Personal Data, strictly confidential and handled with care structurally based on operational standards until the business transaction has concluded, e.g from the time a guest makes a reservation, to being on premise for check-in and off premise after check- out has concluded. The Right to Restrict Processing is limited considering it is the duty of all parties from the Data Controller, to Data Processor, to Guest to complete a business transaction.

Exhibit A-
Standard Processing Clauses- Under GDPR

Where Shore Hotel processes Personal Data (as defined under GDPR) for the purposes of the services provided under this Agreement, Shore Hotel is Processing Personal Data as a Data Controller or Data Processor through guests or concierge and stay services on behalf of a Guest under the GDPR.

Where Shore Hotel processes Personal Data on behalf of the Guest as a Data Processor for the purposes of providing the services only, Shore Hotel shall:

(a) only process Personal Data in accordance with the instructions of the Shore Hotel, these instructions will be as set out in the description of the services, except to the extent that any legal requirement prevents Shore Hotel from complying with such instructions or requires the Processing of Personal Data other than as instructed by the Guest.

(b) ensure that any personnel authorized by Shore Hotel to access the Personal Data are subject to a duty of confidentiality in respect of the Personal Data;

(c) ensure that any Personal Data is subject to appropriate technical and organizational measures against unauthorized or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data in accordance with any Data Protection Legislation applicable to Shore Hotel;

(d) inform Guest, Vendors or Employees of the sub-processors used in the Processing of Personal Data and any changes to the sub-processors used in the Processing of Personal Data in the services. Shore Hotel has general authorization from Guests, Vendors and Employees to engage sub-processors in the Processing of Personal Data only related to business services. Where Shore Hotel engages sub- processors, it shall impose the Personal Data Processing obligations set out in this clause on such sub- processor;

(e) inform Guest of any requests or queries from a data subject, regulatory authority or any other law enforcement authority regarding the Processing of Personal Data under the Agreement and provide the Guest with any information and assistance that may reasonably be required to respond to such requests or queries;

(f) provide reasonable assistance to the Guest, Vendor or Employee at their cost, in respect of compliance with Art 32-36 of the GDPR, taking into account the nature of the Processing undertaken by the Shore Hotel and the information available to Shore Hotel;

(g) at the choice of the Guest to, delete or return all Personal Data to the Guest after the end of the Processing of Personal Data under the Agreement, unless Shore Hotel is required to retain the Personal Data by applicable law;

(h) notify the Guest without undue delay on becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored of processed by Shore Hotel in connection with the services; and

(i) make available to the Guest, information reasonably necessary to demonstrate compliance with Shore Hotel Personal Data Processing obligations under this Clause.

Thank You