EID Registration & Help
June 27, 2018 Owner & Franchise Communications

General Data Protection Regulation (GDPR) Update – June 2018

As you know, the European Union’s (EU’s) General Data Protection Regulation (GDPR) went into effect on May 25, giving individuals more control over their personal data. Marriott takes its commitment to data privacy seriously and a significant amount of work has been undertaken to ensure Marriott is GDPR-ready.

While this is an EU regulation, the GDPR applies to anyone holding or processing any EU personal data. All properties (including Marriott Rewards, SPG, Managed by Marriott (MxM) and franchised properties) will need to address GDPR requirements. As previously communicated, Marriott is focused on the centralized systems it controls and franchisees are responsible for “locally” maintained databases and systems containing the personal data of guests and associates. Franchisees may wish to consult with appropriate legal counsel or consultants to ensure you are GDPR-ready.

The following sections below provide updates to Marriott’s progress on key components of GDPR and what you can anticipate moving forward.

TRAINING

Marriott has designed training programs to help Managed by Marriott (MxM) associates, as well as associates at franchised hotels, better understand privacy and GDPR.

What Marriott Has Done So Far: We have finalized the franchised version of our Global Privacy Training (Course #1007169 in myLearning) to help on-property associates understand what personal data is and how Marriott recommends it to be handled. This training is now available for associates at franchised hotels. On-property and above-property managers of MxM hotels were informed of their new Global Privacy Training (Course #976161 in myLearning) via the May 21 Weekly Update.

What You Can Expect in the Future: Franchised hotels will be made aware of the franchise Global Privacy Training via the July 2 Weekly Update.

Training Compliance: The new Global Privacy Training is required to be completed by General Managers by Dec. 31, 2018 and on an annual basis moving forward. Additionally, we recommend that any other employee that has exposure to customer data also complete the training for 2018 and on an annual basis.

We will continue to update you in the event we develop further privacy training or receive updates to the Global Privacy Training.

INDIVIDUAL PRIVACY RIGHTS & ACCESS REQUESTS

Marriott has developed an internal process to handle requests for guest personal data from Marriott’s global centralized systems (e.g., Opera, MARSHA), and those systems are GDPR-ready. Franchisees are responsible for guest personal data, such as local guest profiles, that has been entered into PMS systems or other local systems. Additionally, franchisees may wish to consult with appropriate legal counsel or consultants to implement a process to handle guest and associate requests for their personal data.

Should a franchised hotel receive a guest request for their personal data, forward the request to privacy@marriott.com and Marriott will coordinate with the hotel, as appropriate, to respond.

Note that associates at franchised hotels are responsible for ensuring they are GDPR-ready with respect to their associate data.

NOTICE AND CHOICE

Under the GDPR, “Notice” means that guests and associates must be informed of what is being collected, the reason for collecting it and the intended use of the data. “Choice” means that in certain circumstances, we will give guests options to express their preferences, including what they share with us and how they hear from us.

What Marriott Has Done So Far:

  • Statements, Notices and Terms & Conditions (T&Cs): We have updated Marriott’s Global Privacy Statement to incorporate GDPR principles, and customers have been informed of this by email. We are also updating our Loyalty T&Cs and will let you know when they become available.
  • MI Privacy Center: We have launched a new MI Privacy Center, which contains Marriott’s Global Privacy Statement and also allows guests to express certain preferences, such as when and how they hear from us.
  • Empower: Guest Experiences (GXP) and Registration Cards: GXP will be Marriott’s global system of record for guest profiles, including information on personal preferences (e.g., food and beverage preferences, interests). Personal preference data will be either visible or hidden depending on whether consent is provided by the guest. If the address we have on file for a guest is in specific countries or jurisdictions, the default for the guest profile will be “opt-out” and personal preferences cannot be collected or viewed. Furthermore, new features will be available on July 11 that will allow hotels to capture guest preferences in GXP and activate the power of personalization. To prepare for and ensure awareness with privacy regulations, all GXP users must take the “Guest Contacts and Personalized Information” and “Introducing GPS” training courses within the Digital Learning Platform. Further details will be provided to hotels within the July 2 Weekly Update.

What You Can Do Now: 

  • Review Marriott’s Global Privacy Statement and visit the MI Privacy Center on Marriott.com and Starwoodhotels.com.
  • Franchisees may wish to consult with appropriate legal counsel or consultants for advice concerning privacy statements for personal data in local systems.
  • Hotels should participate in Empower GXP training as they have been, or will be directed to, in their Land-It Task Lists depending on deployment schedule.

What You Can Expect in the Future:

  • Marriott will continue to update its privacy policies and standards, as well as the MI Privacy Center, and will update you accordingly when this occurs.

CONTRACTS

What Marriott Has Done So Far:

  • Group Sales Agreements: All standard Group Sales Agreement (GSA) templates in centralized sales systems (e.g., SFAWeb, ISAC, and Delphi for TRC) have been updated with new privacy language. The new MI + SPG Library of Clauses, located on the GSA page on MGS, has also been updated with the new privacy language, and the GSA templates on that page will soon be updated with this new language. Visit the GSA page ‘News & Updates’ section and the link to the Library of Clauses document for more information.

What You Can Do Now:

  • Group Sales Agreements and Other Sales Agreements: Franchisees may wish to consult with appropriate legal counsel or consultants regarding the privacy language to be included in any GSA or other sales agreements, as well as any customer-provided documents related to GDPR. Sales-specific FAQs are available on our GDPR page on MGS. Submit any sales-related questions to AskSales@marriott.com.

What You Can Expect in the Future:

  • Translations: Marriott is currently translating the privacy language used in our GSA templates into multiple languages.

ADDITIONAL SUPPORT

To assist you with further understanding GDPR and Marriott’s privacy policies and standards, we have created a GDPR page on MGS which also includes FAQs that are updated continuously. We ask that you and your associates take time to familiarize yourself with the GDPR MGS page.

As additional information become available regarding GDPR training, materials & resources, and Marriott’s progress against key GDPR initiatives, we will continue to provide you updates. Should you have any questions about GDPR, please let us know. We thank you for your continued attention to, review of, and compliance with the GDPR.