PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ
DATA PROTECTION POLICY
APPROVAL OF POLICY
This Data Protection Policy has been reviewed and approved by the management of PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ. The policy reflects the company’s commitment to safeguarding personal data and ensuring compliance with the Uganda Data Protection and Privacy Act (Cap 97) and other relevant laws.
By approving this policy, the undersigned confirms that:
(a) The policy aligns with the company’s legal obligations and ethical standards.
(b) All employees, contractors, and third parties working on behalf of the company are required to adhere to the provisions outlined herein.
(c) The policy will be implemented across all operations of the company, effective from the date specified below.
(d) This policy supersedes any previous versions and will remain in force until formally revised or replaced.
1. INTRODUCTION
1.1. This Data Protection Policy outlines PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ’s commitment to safeguarding the personal data of guests, employees, performers, vendors, and other stakeholders in accordance with the Uganda Data Protection and Privacy Act (Cap 97) and other relevant laws. As a hospitality provider that hosts events, concerts, and shows, we recognize the importance of protecting sensitive data and maintaining confidentiality in an environment where diverse groups interact.
1.2. The policy applies to all operations of PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ, including its physical premises, digital platforms such as websites, mobile apps, among other platforms, and third-party collaborations. It ensures compliance with legal obligations, protects individual privacy rights, and maintains the company’s reputation for integrity and trustworthiness.
1.3. This policy applies to all staff members, contractors, event organizers, performers, vendors, and third-party service providers working on behalf of the company. Each person is personally responsible for upholding the principles outlined herein.
2. PURPOSE
2.1. The purpose of this policy is to ensure that PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ complies with its legal obligations concerning the collection, use, processing, storage, and disposal of personal data. It aims to:
a) Protect the privacy and rights of individuals whose data is processed by the company.
b) Maintain the confidentiality and security of personal data across all operations. c) Build trust with guests, employees, and partners through transparent and ethical data practices.
2.2. This policy also serves as a guide for implementing robust data protection measures, training employees, and ensuring accountability at all levels of the organization.
3. DEFINITIONS
3.1. Data: Information processed by automated means, recorded for processing, or part of a filing system.
3.2. Data Subject: Any individual whose personal data is processed by PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ.
3.3. Personal Data: Information relating to an identified or identifiable natural person, such as names, contact details, identification numbers, booking details, payment information, or biometric data.
3.4. Processing: Any operation performed on personal data, including collection, storage, retrieval, use, transmission, or destruction.
3.5. Sensitive Personal Data: Includes but is not limited to information regarding race, ethnic origin, political opinions, religious beliefs, health, sexual orientation, or criminal records.
3.6. Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
3.7. Third Party: Any external entity such as vendors, event organizers, regulatory authorities that processes personal data on behalf of the company.
4. DATA PROTECTION PRINCIPLES
PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ adheres to the following principles when processing personal data:
4.1. Lawfulness, Fairness, and Transparency:
a) Personal data will only be processed lawfully, fairly, and transparently.
b) Processing must have a lawful basis, such as consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests.
c) Data subjects will be clearly informed about how their data is used, including the purpose of collection, who will have access, and how long it will be stored.
4.2. Data Limitation:
(a) Data will only be collected for specified, explicit, and legitimate purposes.
(b) Data will not be further processed for incompatible purposes without informing the data subject and obtaining new consent if necessary.
4.3. Data Minimization:
(a) Only necessary personal data will be collected for the intended purpose.
(b) Excessive or irrelevant data will not be retained.
4.4. Accuracy:
(a) Personal data must be accurate and kept up to date.
(b) Errors will be corrected promptly upon identification.
4.5. Storage Limitation:
(a) Personal data will not be retained longer than necessary.
(b) After the retention period expires, data will be securely deleted or anonymized.
4.6. Integrity and Confidentiality:
(a) Appropriate technical and organizational measures will be implemented to protect personal data against unauthorized access, loss, or damage.
(b) Encryption, access controls, and regular audits will be employed to ensure data security.
5. DATA COLLECTION AND USE
5.1. Guest Data:
(a) Personal data will be collected from guests for purposes such as reservations, check ins, event bookings, loyalty programs, and marketing campaigns.
(b) Examples include identification details, contact information, payment data, dietary preferences, and special requests such as accessibility needs.
5.2. Employee Data:
(a) Personal data of employees, such as payroll records, performance evaluations, and emergency contact details, will be collected for employment-related purposes.
(b) Sensitive personal data such as health information will be handled with additional safeguards.
5.3. Performer and Vendor Data:
(a) Personal data of performers, vendors, and event organizers will be collected for contractual and operational purposes.
(b) Examples include contracts, invoices, and performance schedules.
5.4. Third-Party Data:
(a) Personal data collected from third parties such as travel agents and event partners will be processed in accordance with this policy.
(b) Data sharing agreements will outline responsibilities for data protection.
6. DATA SECURITY MEASURES
6.1. Access Control:
(a) Only authorized personnel will have access to personal data on a need-to-know basis.
(b) Role-based access controls will be implemented to limit exposure.
6.2. Physical Security:
(a) Paper-based records will be stored in locked cabinets accessible only to authorized individuals.
(b) Secure shredding processes will be used for disposing of confidential documents.
6.3. Technical Security:
(a) Encryption will be used for storing and transmitting sensitive data.
(b) Firewalls, antivirus software, and intrusion detection systems will protect digital infrastructure.
6.4. Data Breach Procedures:
(a) The company will implement procedures to detect, respond to, and mitigate data breaches.
(b) Breaches will be reported to the National Information Technology Authority – Uganda (NITA) and affected individuals within 72 hours, if required by law.
7. DATA RETENTION
7.1. Retention Period:
(a) Personal data will be retained only as long as necessary for the purposes for which it was collected or as required by law.
(b) Examples: Guest data may be retained for 12 months after their stay, while employee data may be retained for 7 years’ post-employment.
7.2. Data Disposal:
(a) When no longer required, personal data will be securely destroyed.
(b) Digital records will be deleted using secure deletion methods, and physical documents will be shredded.
8. DATA SUBJECT RIGHTS
8.1. Right to Access: Guests, employees, or any data subject can request to view the personal data held by the company. Requests will be fulfilled within 30 days.
8.2. Right to Rectification: Data subjects can request corrections to inaccurate or incomplete personal data.
8.3. Right to Erasure: Under certain circumstances, data subjects can request the deletion of their personal data.
8.4. Right to Object: Data subjects may object to the processing of their data if they believe it violates data protection laws.
8.5. Right to Restrict Processing: Data subjects may request restrictions on processing during disputes or investigations.
8.6. Right to Data Portability: Data subjects can request their personal data in a structured, commonly used format.
9. DATA SHARING AND TRANSFERS
9.1. Third-Party Sharing: Personal data will only be shared with third parties when necessary and with consent, except where required by law.
9.2. Third-Party Compliance: The company will ensure that third-party service providers comply with the same data protection standards.
9.3. International Transfers: Personal data will not be transferred outside Uganda unless appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules.
10. TRAINING AND AWARENESS
10.1. All employees will receive regular training on data protection responsibilities, confidentiality requirements, and handling sensitive personal data.
10.2. New staff members will undergo mandatory training during onboarding.
10.3. Awareness campaigns will be conducted annually to reinforce data protection principles.
11. DATA BREACH NOTIFICATION
11.1. In the event of a data breach, the company will assess risks to affected data subjects.
11.2. If significant harm is likely, the breach will be reported to the National Information Technology Authority – Uganda and affected individuals without undue delay.
12. DATA PROTECTION OFFICER (DPO)
12.1. The company will appoint a Data Protection Officer (DPO) responsible for overseeing data protection strategy and implementation.
12.2. The DPO’s responsibilities include: (a) Ensuring compliance with data protection laws.
(b) Monitoring data protection practices and providing guidance to employees.
(c) Acting as the point of contact for data subjects and regulatory authorities.
13. REVIEW OF POLICY
13.1. This policy will be reviewed annually or in response to significant changes in legislation or business procedures.
13.2. Updates will be communicated to all employees, clients, and stakeholders as necessary.
PROTEA HOTEL BY MARRIOT – KAMPALA SKYZ is committed to upholding the highest standards of data protection and ensuring the privacy and rights of all individuals are respected.