1. Scope

SBTM's SRS service provides you with a booking experience where you can instantly reserve flights, hotels and rental cars that you are sure to need on your business travel to ensure greater convenience and time-saving. With respect to the delivery of the service, we work to protect your personal data we collect with your consent and ensure that proper measures are taken to protect your rights. We also have a privacy policy in place to ensure that you have full knowledge of where and how your personal data is used and what measures we take to keep it confidential. SRS service is available in Korea, America, Europe, Southeast Asia, Middle East, China and other regions and fully complies with all local privacy-related laws. Our privacy policy is subject to change for improvements. Any changes to it will be notified to you in an easy-to-understand manner. Our privacy policy includes the following provisions.


  1. Scope
  2. Scope of Collection and Use
  3. Retention and Destruction of Personal Data
  4. Disclosure and Sharing of Personal Data
  5. Use of Contractors and Cross-border Transfer of Personal Data
  6. Your Rights and How to Exercise Them
  7. Provisions on Children
  8. Automatic Processing of Personal Data
  9. Technical and Organizational Measures to Protect Personal Data
  10. Installation and Use of Devices to Collect Personal Data and Refusal
  11. Feedback and Complaints
  12. Notice of Privacy Policy

2. Scope of Collection and Use

① We will collect your personal data to provide you with a comprehensive travel booking service including air, hotel and vehicle rental to the extent that you provide consent for such collection and use. None of your personal data you provide will be used for any other purpose than what is defined below. Any changes to the scope of use will be notified to you in advance for your consent.

Category Use Scope of collection Available in:
Becoming a member
(required)
Identification to classify a user Name (Korean), name (English), nationality, date of birth, number (office), number (mobile), address, company, department, title, email, gender, username, password Korea, America, Europe, Southeast Asia, Southwest Asia, China
Booking support (viewing reservations, changes, confirmation, ticket printing, cancellations) Access log IP, access log ID, date of access, date and time of sign out Korea, America, Europe, Southeast Asia, Southwest Asia, China
Notification of booking, changes or cancellations Number (mobile phone) Email
Korea Korea, America, Europe, Southeast Asia, Southwest Asia, China
Travel booking
(required)
Flight reservations, ticket printing, changes or cancellations Information collected when you sign up for the service, credit card number, expiry date, passport number, passport expiry date Korea, America, Europe, Southeast Asia, Southwest Asia, China
Hotel reservations, changes or cancellations Information collected when you sign up for the service, credit card number, expiry date Korea, America, Europe, Southeast Asia, Southwest Asia, China
Vehicle rental reservations, changes or cancellations Information collected when you sign up for the service Korea, America, Europe, Southeast Asia, Southwest Asia, China
PICKUP & SENDING Reservations, changes or cancellations Information collected when you “sign up for the service” Southeast Asia
Travel booking
(optional)
Mileage earning Flight, hotel or vehicle rental mileage Korea, America, Europe, Southeast Asia, Southwest Asia, China
Room preferences Smoking or non-smoking, bed size, preference to a room located higher up in the building Korea, America, Europe, Southeast Asia, Southwest Asia, China
TSA Information TSA Information Korea, America, Europe, Southeast Asia, Southwest Asia, China
Visa Information Visa Information Korea, America, Europe, Southeast Asia, Southwest Asia, China

② We collect your personal information when:

- You become a member through the SRS website, email, fax, phone or a written form or make a travel reservation

- You have a conversation with our customer support or leave a comment after traveling

- You allow cookies to be used during viewing or confirmation of your reservations as part of the SRS service

③ We do not collect any information on your gender, ethnic group, ideas or beliefs, religion, current or past membership in labor union or political party, political view, health, sex life or any other sensitive data that might materially infringe your privacy.

④ When we collect your personal data with your consent, we ensure that the following is clearly informed to you.

- Who is responsible for protecting your personal data and how to reach him/her

- Purpose of using and collecting your personal data and the legal basis

- Scope and type of personal data

- Who receives your personal data including third parties

- How long your personal data will be retained and how the period of retention is determined

- Your rights

- The fact that you have the right to refuse or withdraw consent

- Your right to file a complaint

- Detailed process of transferring your personal data across the border and how it will be protected

- The existence of automated decision-making including profiling, how such decision is made, how important it is, and what consequences it will entail

- Whether provision of your personal data is required by a law or any contract, what the consequences will be if you refuse to provide your personal data

3. Retention and Destruction of Personal Data

We ensure that all of your personal data collected with your consent when you "sign up for our service" or make a reservation for "travel purposes" is destroyed when you cease to be our member.

Your personal data will be isolated from others and securely retained if you have agreed to any privacy-related law applicable in the jurisdiction where you reside specifies, or a different term where your personal data should be retained.


[Provisions of Korean laws with respect to retention of personal data]

Act on the Consumer Protection in Electronic Commerce, etc

- Record on legally binding contracts or revoking of commitment: 5 years

- Record on payment or supply of goods or others: 5 years

- Consumer complaints or how they are handled: 3 years


Protection of Communications Secrets Act

- Website access log: 3 months

4. Disclosure and sharing of personal data

① If we disclose your personal data to a third party, we will inform you in advance of the following to seek your consent.

- Who will disclose your personal data

- For what purpose the party who receives your personal data uses it

- The scope of your personal data to be disclosed

- For how long the party who receives your personal data will use it

- The fact that you have the right to refuse or withdraw consent

② You might not be able to use the full service we offer if you do not agree to disclose your personal data when you make a reservation for your business travel.

③ Unless you otherwise agree or if we are required by applicable law, we will not use, or disclose to a third party, any of your personal data beyond the scope communicated to you in the Purpose of Collection and Use of your Personal Data.

④ Unless there is any risk of infringing your interest or a third party's, we may disclose your personal data if:

- We have obtained your consent;

- Any of the applicable laws permits;

- We determine that such disclosure is necessary for the benefit of your or a third party's life, health or property when no prior consent can be obtained from you because you or your legal representative is not available to give such consent or your whereabouts are unknown; or

- Your personal data is provided for the purpose of public recording, scientific or historic research or statistics without anything that can be linked to your identity.

Category Receiver Purpose of use Scope of personal data disclosed Duration of retention Available in:
Flight List(Pop-up) Booking a flight, checking whether departure is possible Name (English), gender, date of birth, contact number (mobile), email, passport number, passport expiry data, nationality, mileage number, credit card number, credit card expiry data To be destroyed when you cease to be a member Korea
Hotel List(Pop-up) Booking a hotel room or viewing of reservation Name (English), gender, date of birth, contact number (mobile), email, passport number, passport expiry data, nationality, mileage number, credit card number, credit card expiry date To be destroyed when you cease to be a member Korea
Car rental List(Pop-up) Booking a car or viewing of reservation Name (English), contact number (mobile), pick-up location, return location, duration of rental, time of return, flight number (arrival), membership number To be destroyed when you cease to be a member Korea
GDS List(Pop-up) Book hotel/flight Name (Korean), name (English), date of birth, gender, email, credit card number, credit card expiry data, passport number, passport expiry date To be destroyed when you cease to be a member Korea, America, Europe, Southeast Asia, Southwest Asia, China
List(Pop-up) or a car Name (Korean), name (English), date of birth, gender, email To be destroyed when you cease to be a member Korea, America, Europe, Southeast Asia, Southwest Asia, China
Aggregator List(Pop-up) Booking a flight, hotel or a car Name (Korean), name (English), date of birth, gender, email, credit card number, credit card expiry data, passport number, passport expiry date Destroyed when you cease to be a member Korea, America, Europe, Southeast Asia, Southwest Asia, China
VAN KICC, INISIS Offering of payment module Name (Korean), name (English), nationality, date of birth, gender, contact number (office), contact number (mobile), address, company, department, title, email To be destroyed when you cease to be a member Korea
Insurer Samsung Fire & Marine Insurance Offering of service, individual identification, confirmation of policy purchase intention, handling of complaints, notice Information collected when you sign up for the service, credit card number, credit card expiry date, passport number, passport expiry date To be destroyed when you cease to be a member Korea

5. Use of Contractors and Cross-border Transfer of Personal Data

① We use independent professional contractors to deal with personal data collected to allow for better business operations.

② We ensure that provisions stipulating the purpose of the service employed, no subcontracting, restrictions in processing of personal data, liabilities on the contractor including damages in case of violation of its obligations, technical and administrative protection of personal data and other important aspects are clearly included in the agreement with such contractors. Any replacement of the contractors listed below will be notified to you or publicly communicated by means of updated privacy policy.

Service contracted Contractor Scope of personal data Available in:
Operation and management of data center where personal data is stored Samsung SDS(Location: Seoul, Korea) Your personal data when you "sign up for our service" or make "reservations for your business travel". Korea, America, Europe, Southeast Asia, Southwest Asia, China
Visa application on your behalf My Visa Korea Name (Korean), name (English), date of birth, gender, email, company, department, contact number (office), contact number (mobile) Korea

6. Your Rights and How to Exercise Them

① Scope of your rights

A. Right to know how your personal data are processed

- You have the right to be informed by us of the purpose and scope of collection and use of your personal data. Therefore, we ensure that you will be informed of the purpose and scope of personal data collection and how such data will be used. We also establish and publish a privacy policy.

B. Right to refuse to give consent and withdraw given consent

- This means that you have substantial control over how your personal data can be processed. You have the right to refuse to give consent to processing your personal data and withdraw such consent after being given.

C. Right to know whether your personal data have been processed and access them

- You have the right to access your personal data provided to know how possess your personal data and how much and how they use, disclose and manage them. Such right to access also helps prevent your personal data from being collected, used or disclosed in an irresponsible manner.

D. Right to restrict processing of, correct or delete your personal data

- To prevent any damage resulting from processing of incorrect personal data, you have the right to allow any of your incomplete or incorrect personal data not to be processed, or to be corrected or deleted. You also have the right to allow us to delete your personal data when there is no more need for us to retain them - for example, we have fulfilled the purpose of processing your personal data - to avoid leakage or abuse of any of your personal data.

E. Right to have your personal data back

- You have the right to have your personal data provided to us returned in an organized and generally usable form and transfer the data to be received by another party for it to use.

② How to exercise your rights

A. You can make a request to us with respect to access to, or correction, transfer, deletion of, or restriction on processing of, your personal data that we use in the following manners:

- Visit the SRS system: Log in and click on My Page to exercise your rights as needed

- Contact our personnel responsible for user privacy in writing, by phone or email

B. Upon your request, we will allow you to access your personal data under our custody within ten days.

C. We ensure that any of your personal data that you want to delete or impose restrictions on use of, will only be used during the term of use as agreed upon and will not be used or access for any other purpose.

D. You have the right to allow your personal data provided to be accessed, corrected, transferred, deleted, or only processed in a specific manner. Upon such request from you, we will take necessary measures.

E. Upon request from you to correct any of your personal data, none of such data will be used or disclosed until such correction is complete. If any of your incorrect personal data has been disclosed to a third party, a notification will be made to the party to correct it.

7. Provisions on Children

Personal data will only be collected from you if you are a member of any of our affiliates or any of our customers. No personal data will be collected from you if you are a child as defined by the applicable law where the SRS service is offered.

8. Automatic Processing of Personal Data

None of your personal data will be used to evaluate your job performance or identify your financial conditions, health, preferences, interest, credibility, behavior, location or movement.

9. Technical and Organizational Measures to Protect Personal Data

SDS's data center located in Sangam-dong, Seoul, and takes all reasonable measures to prevent any of your personal data from being lost, stolen, leaked, modified or impaired and protect the system and data from any cyber-attacks.


① SDS's data center is certified with ISO27001 (Information Security Management System) and has its activities to protect privacy inspected by a publicly credible, independent body on a regular basis.

② All your personal data is fully protected using such measures as conversion into virtual data or encryption so as to minimize any damage in the event of a breach.

③ To avoid any leakage of your personal data resulting from hacking or otherwise, professionals skilled in anti-hacking measures are available in the data center at all times. In addition, drills are conducted on a regular basis to be fully prepared for the onset of any compromise including DDoS attacks and advanced persistent threats (APT).

④ SDS's data center has dual servers - main and backup - in place to ensure that all the personal data under its custody are fully protected.

⑤ The data center grants different levels of privileges to those having access to personal data and monitors their actual access to it to minimize the possibility of leakage. The center also ensures that regular training is offered to uphold their obligations for privacy protection.

⑥ The center follows procedures for checking security by identifying any impact on personal data under their custody before the introduction of new technology requiring the use of personal data or material change to its existing system to avoid any breach.

⑦ The center applies design principles focusing on privacy such that any illegal access to, or unauthorized use or abuse of, personal data collected.

10. Installation and Use of Devices to Collect Personal Data and Refusal

① We use cookies or anything similar thereto to retrieve your personal data when you view the same booking information on our website. Refusal to allow cookies to be installed might result in the unavailability of some of our services including viewing of your reservation. ② You have an option to determine if you wish for cookies to be installed. By changing the settings on your web browser, you can allow or disallow cookies to be installed. * A cookie is a tiny text file sent by the server used in the operation of a website to a user's web browser. It is often saved in the user's computer. ③ How to refuse cookie installation

* Example: You can either allow all cookies to be saved, choose to be asked whether to allow them before any cookie is to be saved, or disallow any cookie to be saved by changing the settings on your web browser.

- Google Chrome (https://support.google.com/chrome/answer/95647?hl=en-GB)

- Internet Explorer (https://support.microsoft.com/en-us/kb/260971)

- Mozilla Firefox (https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer)

- Safari (Desktop) (https://support.apple.com/kb/PH5042?locale=en_US)

- Safari (Mobile) (https://support.apple.com/en-us/HT201265)

- Android Browser (https://support.google.com/nexus/answer/54068?visit_id=0-636602363711055441-2350803723&hl=en&rd=1)

11. Feedback and Complaints

We have personnel responsible for protecting your privacy which also deal with your complaints with respect to your personal data provided. You can contact the personnel for anything regarding your personal data including questions, suggestions or complaints that may arise during use of our service. The personnel will provide you with a full explanation as to your issue.
A. Korea
- Chief Privacy Officer: Hojun Lee
- Department: SBTM HR
- Contact number: +82-2-6048-8601
- Email: sbtm.security@samsung.com

You may also contact any of the following agencies for reporting or submitting questions in respect to your personal data.
- Privacy Infringement Reporting Center: 118 (no area code required), http://privacy.kisa.or.kr
- Department of Cyber Crime Investigation, Supreme Prosecutors' Office: 1301 (no area code required), www.spo.go.kr
- Bureau of Cyber Security, National Police Agency: 182 (no area code required), cyberbureau.police.go.kr

B. Europe
- Data Protection Officer: Yongsoo Park
- Department: Samsung Hospitality UK
- Contact number: +44-1932-455-704
- Email: shuk.security@samsung.com

You may also contact any of the following agencies for reporting or submitting questions in respect to your personal data.
Supervising Authority in Romania:
- The National Supervisory Authority for Personal Data Processing
- President: Mrs Ancuţa Gianina Opre
- B-dul Magheru 28-30
- Sector 1, BUCUREŞTI
- Tel. +40 21 252 5599
- Fax +40 21 252 5757
- e-mail: anspdcp@dataprotection.ro
- Website: http://www.dataprotection.ro/

Supervising Authority in UK:
- The Information Commissioner’s Office
- Water Lane, Wycliffe House
- Wilmslow - Cheshire SK9 5AF
- Tel. +44 1625 545 745
- e-mail: international.team@ico.org.uk
- Website: https://ico.org.uk

Supervising Authority in Germany:
- Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
- Husarenstraße 30
- 53117 Bonn
- Tel. +49 228 997799 0; +49 228 81995 0
- Fax +49 228 997799 550; +49 228 81995 550
- e-mail: poststelle@bfdi.bund.de
- Website: http://www.bfdi.bund.de/

C. China
- Chief Privacy Officer: Jaeheon Jung
- Department: Samsung Hospitality China
- Contact number: +86-22-5989-5603
- Email: shc.security@samsung.com

12. Notice of Privacy Policy

This privacy policy will take effect on May 25, 2018, and any additions or changes to, or deletion of, anything contained in the policy resulting from any changes in governing law, government policy or security technology will be notified to you via email or published on our website.


V.1.0

Privacy Policy Effective on: May 25, 2018