Privacy Policy

Thank you for visiting our website and for your interest in our company and the services we offer.

For Hotel du Cap-Eden-Roc, in his capacity as Data Controller, the protection of your Data is a priority. We respect your privacy and ensure the protection of your personal data by processing your personal data in accordance with the data protection regulations, in particular Regulation 2016/679 of the European Parliament and Council dated 27 April 2016 concerning the protection of physical persons with regard to the processing of personal data and the free circulation of this data (“GDPR”), and any national legislation applicable to the protection of the Personal Data.

For the sake of transparency, Hotel du Cap-Eden-Roc established this Privacy Policy that aims to:

  • explain to you why your Personal Data is collected and processed by Hotel du Cap-Eden-Roc,
  • describe what types of Personal Data related to you Hotel du Cap-Eden-Roc may collect and how they are retained,
  • inform you about what the rights that you have over your data and how you can exercise them.

This Privacy Policy excludes those websites and online services that have separate privacy policies and do not incorporate this Privacy Policy by reference or otherwise.

This Privacy Policy also does not apply to the collection and processing of Personal Data by Oetker Collection and its Affiliates. The latter established their own Privacy Policy to understand how it will treat your Personal Data. Their Privacy Policy is available on the website.

Different privacy policies also may apply to other parts of our web presence, for example, web pages for online recruitment.

Our privacy practices may be more or less limited in certain countries in which we operate to reflect local practices and legal requirements. We will specifically inform you, if this is the case.

Hotel du Cap-Eden-Roc reserves the right to modify this Privacy Policy at any time. Any modification will take effect immediately.  

Consequently, we invite you to regularly consult our Privacy Policy, available from all pages of our website, in order to keep you informed of the latest applicable online version. For the changes that we consider the most significant, a notification will be made on the website. We also expect you to check the date indicated on this Privacy Policy in order to know the date of the last update.

This Privacy Policy is written in English and may be translated into other languages. In the event of any inconsistency, the English version shall prevail.

definitions

1. Definitions

For your information, a Personal Data corresponds to any information relating to an identified natural person (Data Subject) or who can be identified, directly or indirectly, by reference to an identification number or to one or more elements which are specific to him (name, first name, address, email, telephone, credit card number, etc.).

Personal data processing means any operation which is performed on Personal Data (collection, storage, transmission, deletion, etc.), whether on paper or computer.

The Controller is the person who determines the purposes of each processing and the means to achieve these purposes.

Oetker Collection means the Oetker Hotel Management Company GmbH (OHMC), a hotel management company with registered offices at Schillerstraße 4/6, 76530 Baden-Baden, Germany.

Affiliate means the companies which have an affiliation with OHMC GmbH via shared management or ownership.

Owner means all other companies which we manage under Oetker Collection’s hotel activities on behalf of third-party owners.

collect-your-data

2. Why does Hotel du Cap-Eden-Roc need to collect your Data?

The data that Hotel du Cap-Eden-Roc collects is necessary to enable it to fulfill the following purposes:

• Management of bookings (room);

• Management of stay monitoring and/or activities and other Services;

• Management of payments for reserved products, activities and other Services;

• Management of customer accounts in order to create and use the customer account, update personal information, consult or modify or cancel stay information or book additional services;

• Management of customers’ requests (before or during stay),

• Management and good performing of stays and reserved and/or potential services;

• Management of commercial prospection: concerning similar services to those already provided to the customer in the past; sending of solicitations, promotional and informative messages by post, phone call; sending of solicitations, promotional and informative messages by email, SMS/MMS;

• Organization of contests and all other promotional operations (social networks);

• Carrying out satisfaction surveys after stays;

• Management of video surveillance (CCTV);

• Establishment, exercise, or defense of legal claims against the organization;

• Accounting management (customers files);

• Management of requests to exercise the rights guaranteed to Data Subjects under the legislation applicable to the protection of the Personal Data;

In general, Hotel du Cap-Eden-Roc does not process any of your data for purposes incompatible with those for which it was collected, except with your prior consent.

what-data-palacio-tangara-collects

3. What Data does Hotel du Cap-Eden-Roc collect?

Hotel du Cap-Eden-Roc collects different types of personal data about you:

personal-data-you-provide-directly

3.1 Personal data that you communicate to us directly:

Identity: surname, forenames, address, telephone number (fixed or mobile), email address, date of birth, title, company affiliation, ID or passport, customer number, bank card number, number of children, date of birth of the children, first name of the children.

Personal Data relating to the way of payment: postal or bank identification statement, transaction number, cheque number, credit card number, third-party financing;

Personal Data relating to the commercial relationship: customer number, reservation number, documentation requests, products and services reserved and purchased, quantity, amount, frequency, delivery address, purchase history, origin of the sale (seller, representative) or order, correspondence with the customer and after-sales service, number of children, children name and birthdate;

Communication details and related (meta-)data: the correspondence exchanged, date and time of the messages, your Feedback, etc.

Personal Data relating to newsletter subscriptions: title, surname, first names, e-mail address, country of residence, date of birth.

Other Data: Other types of information that you voluntarily choose to provide to us.

The communication of your personal data is voluntary. However, certain information is mandatory and essential for Hotel du Cap-Eden-Roc to process your request, as indicated in our forms. Without this information, Hotel du Cap-Eden-Roc will not be able to process your request.

personal-data-provided-to-us

3.2 Personal data communicated to us:  

From Oetker Collection: We may receive Personal Data collected by Oetker Collection in connection with the commercial prospection management, the website management, including your Identity, Personal Data relating to newsletter subscriptions.

From the Affiliates: The Personal Data you provide to us in connection with making a reservation, including your Identity, Personal Data relating to the commercial relationship, Personal Data relating to the way of payment, is shared and received with and from the Affiliates you have previously visited for purposes of meeting your reservation requests and preferences in advance.

From other Owners:  Oetker Collection manage hotels and other properties on behalf of third-party owners (“Owners”). If you make a reservation to stay at a property managed by an Owner, we will share and receive Personal Data with and from the Owner of that property, e.g., information about your Identity, Personal Data relating to the commercial relationship, Personal Data relating to the way of payment and any observations about your service preferences. Owners’ use of your Personal Data will be governed by their own privacy practices.

From Social Media: Social media account information, profile pictures or posts.

From Other Sources: We may receive your Personal Data from other sources, like public databases, joint marketing partners that consisting with your settings on related services, and other third parties including online booking services, travel agencies, airline, credit card partners and other parties who sell products and services under our brand. Such information usually includes your Identity, Social Media Details, Your Feedback and Other Data that you voluntarily choose to provide to us.

personal-data-we-collect-automatically

3.3 Personal data that we collect automatically:

Technically required data when using our website: Certain information about you is collect when you access the Oetker Collection website, in particular, information about your device, your browsing (browser type and the version used, the operating system, the Internet access provider, the IP address of their device, the date and time of access to the website from which users visit this website and the pages they visit on the website). Oetker Collection uses Cookies and other tracking technologies to collect information about you when you interact with the Oetker Collection website. To know more about Cookies and how to manage them, please access our Cookies Policy.

Log Details: IP addresses, online user account details or profiles when you log-in to your account.

Wi-Fi and Location-Based Services: In the course and for the purpose of providing Wi-Fi services at our hotels and other properties, we may collect device identifiers (such as your IP address, or other unique identifier). Based upon your consent, we also may collect information about the physical location on your device through use of the Wi-Fi services or other technologies to provide you with personalized location-based services, such as to customized offers and promotions or to find a hotel near you.

CCTV/Surveillance: For your safety and security, images and visual recordings through the use of closed-circuit television systems collected while visiting our property, where permitted by applicable law.

sensitive-personal-data

3.4 Sensitive Personal Data

What is Sensitive Personal Data? It is information which reveals alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. It is also genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning the health, sex life or sexual orientation of a natural person.

You may provide or we may collect what is considered Sensitive Personal Data under the legislation applicable to the protection of the Personal Data. For example, you may provide your health information or dietary restrictions so that we can accommodate you during your stay.

In this case, we only process Sensitive Personal Data if and to the extent permitted and required by applicable law or with your express consent. Unless otherwise required by applicable law, you are not required to provide us with any of your Sensitive Personal Data. Should you choose not to, your decision would not prevent you from using our Services.

4. What is the legal basis for the processing of your Data?

Hotel du Cap-Eden-Roc collects your Personal Data for the purposes described in point 2 of this Policy. In any case, Hotel du Cap-Eden-Roc collects your data, only when their collection and processing are based on a legal basis.

contractual-relationships

4.1 Execution of contractual relations with Hotel du Cap-Eden-Roc:

Your Data is necessary for the execution of the contract to which you have subscribed, or you wish to subscribe, including to do/complete your reservation, manage your stay, provide you goods and services that you requested, etc. On this contractual legal basis, any refusal to communicate your Personal Data will prevent the conclusion and execution of the contract.

4.2 Compliance with a legal obligation to which Hotel du Cap-Eden-Roc is subject:

Some of your Data is processed by Hotel du Cap-Eden-Roc to comply with its legal obligations, in particular complying with legal processes, responding to requests from public and government authorities around the world, or public-sector bodies/bodies with a public-service mission, in line with applicable legislation, and pursuing available remedies or limit damage we or other third parties may sustain. Also, your Data is processed to manage your request to exercise the rights guaranteed to Data Subjects under the legislation applicable to the protection of the Personal Data.  

4.3 Your consent:

Subject to having obtained your prior and valid consent, Hotel du Cap-Eden-Roc may process your Data to communicate (e-mail/SMS) with you during your stay, to send you promotional offers, newsletters, information on us, our Services, and other marketing communications, in accordance with your preferences. With your consent, you can participate in contests and all other promotional operations organized by us on social networks. Also, to process Sensitive Personal Data you may have provided to us in connection with your stay (example: any dietary restrictions or special accommodations for physical and medical conditions). Your consent may also be necessary when we use cookies and other tracking technologies under the conditions described in our Cookies Policy. At any time, you can change your choice and withdraw your consent, as described in section 6.2 of this Policy, without however calling into question the legality of the processing based on consent and implemented before the withdrawal.

protecting-the-life

4.4 Vital Interest:

In certain circumstances when it is not possible to obtain your consent, it may be necessary for us to process your Personal Data, including Sensitive Personal Data you provided through our Services, where it is in your vital interest or in the interest of others, for example in the event of a medical emergency.

legitimate-interests

4.5 The legitimate interests of Hotel du Cap-Eden-Roc:

We may process your Personal Data for the purposes of pursuing our legitimate business reasons, in particular, providing you with superior customer service and a personalized experience when staying with us, keeping our Services safe and secure and to protect our operations or those of any of our affiliates or other third parties, and distributing and responding to surveys regarding your experience, etc. It is also for our legitimate interest to provide you with information that you have requested and responding to your inquiries. Also, for our legitimate interest to ensure your security and the security of our Services, we adopt processes to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, debugging and repairing errors, verify customer information. Subject to applicable law and regulations, it is our legitimate interest to adopt processes for the establishment, exercise, or defense of legal claims against the us, or in the event of a corporate event such as a sale, merger or change in control.

recruitment
fraud-prevention
retention-period-of-your-personal-data

5. How long do we retain your Personal Data?

Your Data is kept by Hotel du Cap-Eden-Roc for the time necessary to achieve the purposes referred to in point 2 hereof, plus the statutory limitation periods.

For example (this information may be different regarding national laws and regulations):

In terms of business relationship management:

  • Personal data relating to customers will not be kept beyond the period strictly necessary for the management of the commercial relationship. However, the data making it possible to establish proof of a right or a contract, or kept for compliance with a legal obligation will be kept for a period not exceeding the period necessary for the purposes for which they are kept, in accordance with the provisions in force (in particular but not exclusively those provided for by the Commercial Code, the Civil Code and the Consumer Code).
  • Data relating to bank cards:

. These data will be deleted once the transaction has been carried out (upon payment), which may be deferred upon receipt of the goods, increased, if applicable, by the withdrawal period provided for the contracts concluded contracts concluded at a distance and outside the establishment. In the case of payment by bank card, the card number and its validity date may be kept for the purpose of proof in the event of a possible dispute of the transaction for the duration provided for by law (French law: thirteen months following the debit date; this period may be extended to fifteen months in order to take into account the possibility of using deferred debit payment cards). These data will be used only in the event of a dispute about the transaction.

. This data relating to bank cards may be kept longer, subject to obtaining your express consent, in particular to facilitate the payment of your next orders.

. The data relating to the visual cryptogram will not be kept beyond the time necessary for the completion of each transaction, including in the event of successive payments or retention of the card number for subsequent purchases.

. When the expiration date of the bank card is reached, the data relating to them will be deleted.

In terms of management of commercial prospection:

  • Customer data used for commercial prospection purposes will be kept for a period of three years from the end of the commercial relationship (for example from a purchase, from the last contact from the customer).
  • Personal data relating to non-customer prospects will be kept for a period of three years from their collection or from the last contact from the prospect (for example, a request for documentation or a click on a hypertext link contained in an email).

Regarding inquiries:

  • The data will be kept for a period of one (1) year from the processing of your request for information.

In terms of management of requests to exercise the rights granted to data subjects under the regulations applicable to the processing of personal data:

  • The processed data is kept while your request is being investigated, then archived in accordance with the limitation periods in force (example: 5 years);
  • Data relating to identity documents will be kept for a period of one (1) year in compliance with the applicable legal deadlines;
  • In the event of opposition, the data will be kept for a minimum period of three (3) years for the sole purpose of guaranteeing the effectiveness of your right of opposition.

For more information on the retention periods of your data, you can contact Hotel du Cap-Eden-Roc (see Section 6.2 of this Policy).

your-rights-and-how-to-exercise-them

6. What are your rights and how to exercise your rights?

your-rights

6.1 Your rights

Right of access: You can obtain confirmation from Hotel du Cap-Eden-Roc that your Personal Data is or is not being processed and, when it is the case, access to all Personal Data and information held by Hotel du Cap-Eden-Roc.

Right to rectification: You can obtain from Hotel du Cap-Eden-Roc, as soon as possible, the rectification of any data concerning you which may be inaccurate or erroneous. You can also request that your data be completed, if necessary.

Right to erasure: Subject to legal exceptions, you can ask Hotel du Cap-Eden-Roc to erase your Personal Data as soon as possible, if in particular you consider that the processing carried out by Hotel du Cap-Eden-Roc on your data is no longer necessary with regard to the purposes for which they are were collected.

Right to data portability: You have the option of recovering part of your Personal Data in an open and machine-readable format or of requesting Hotel du Cap-Eden-Roc to transmit it to another organization. The only data affected by this right are data that you have actively and consciously provided to the Hotel du Cap-Eden-Roc (for example, data that you have entered in an online form) or data generated when using a service or a device as part of the conclusion or management of your contract, and which are processed automatically, on the basis of consent or the execution of a contract.

Right to object: You can object to your data being used by an organization for a specific purpose. You must then put forward reasons relating to your particular situation, except in the case of commercial prospecting, to which you can object without reason. If your data is processed for commercial prospecting purposes, you can oppose it at any time (See point 6.2 of this Policy), just as you can oppose the deposit of cookies at any time (see Article 10 of this Policy).

Right to restriction of processing: You can ask Hotel du Cap-Eden-Roc to keep your data without being able to use it, in any of the following cases: you dispute the accuracy of the data used by Hotel du Cap-Eden-Roc, you object to your data being processed, in the event of illegal use but you oppose their erasure, you need it for the establishment, exercise or defense of legal claims.

Right to withdraw your consent to the processing of your data: When the processing of your personal data is based on your consent, you have the possibility to withdraw your consent at any time (See point 6.2 of this Policy).

Right to lodge a complaint with the competent supervisory authority: If you consider that your rights have not been respected or that the protection of your data is not ensured in accordance with the legislation applicable to the protection of the Personal Data, you can, at any time, lodge a complaint with a competent supervisory authority (in France, the CNIL : directly on the CNIL website or by post to: CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07).

exercise-your-rights

6.2 Exercise of your rights

To exercise any of your rights, send your request:

By E-Mail: [email protected]m

By letter: DPO - Hôtel du Cap-Eden-Roc, Boulevard J. F. Kennedy, CS 10029, 06605 Antibes Cedex, France.

Any request must specify, in subject, the reason of the request (exercise of the right of access, the right to object, etc.), the address to which the response must be sent, and the company concerned by the request (Hotel du Cap-Eden-Roc).

To exercise your rights, you must prove your identity by any means. When Hotel du Cap-Eden-Roc has reasonable doubts about your identity, you may be asked to provide additional information necessary to confirm your identity.

Hotel du Cap-Eden-Roc will send you its response within a maximum of one (1) month from the date of receipt of your request. This period may however be extended by two (2) months due to the complexity and number of requests.

If you believe, after contacting Hotel du Cap-Eden-Roc, that your rights are not respected, you can lodge a complaint with the competent supervisory authority.

Prospecting and targeted advertising:

Please note that we only send you commercial prospection when we have obtained your explicit prior consent, except where we have obtained your data during a sale or negotiations for a sale of a product or service and where the commercial prospection are only marketing similar products or services.

 Once you have accepted to receive commercial offers from Hotel du Cap-Eden-Roc, you can, at any time, reconsider your choice and opt-out:

Commercial E-mails: unsubscribe link at the bottom of the email. Please note that even if you unsubscribe from commercial e-mail, we may still e-mail you non-commercial (transactional) e-mails related to your account and your transactions via the Services.

In general, for any question relating to this Privacy Policy or for any request relating to the management of your Personal Data by Hotel du Cap-Eden-Roc, you can send your request by email or by post, as indicated above.

shares-your-data

7. When and with whom does Hotel du Cap-Eden-Roc share your Data?

Access to your Personal Data is strictly limited to entities and their members staff authorized to process it by virtue of their duties.

Hotel du Cap-Eden-Roc is also likely to transmit your Personal Data to the following entities when this is necessary to meet one of the purposes referred to in point 2 hereof:

  • Oetker Collection: We may share Personal Data you provide to us with Oetker Collection as part of Oetker Collection’s hotel activities managed on behalf of third-party owners.
  • Affiliates: Your Personal Data you provide to us in connection with making a reservation is shared and received with and from the Affiliates you have previously visited for purposes of meeting your reservation requests and preferences in advance.
  • Other Owners: Oetker Collection manage hotels and other properties on behalf of third-party owners (“Owners”). If you make a reservation to stay at a property managed by an Owner, we will share and receive Personal Data with and from the Owner of that property.
  • Data Processors such as hosting and maintenance providers, payment service providers, fraud prevention and fight providers, logistics providers, marketing solution providers, commercial prospecting and communication management providers, service providers in charge of customer service management, data analysis, etc.
  • We may also share your Personal Data with providers that provide services such as spa treatment, salons, and restaurants within our hotels or other properties, or event planners or organizers of any event you plan or host with us.
  • We also may partner with a limited number of Internet providers to offer Internet access to our guests. Your use of Internet service is subject to the third-party Internet provider’s terms of use and privacy policy, which you can access using the links on the service sign-in page, or by visiting the Internet provider’s website.
  • We may also share your Personal Data with third parties when we may help arrange rental cars and share Personal Data with them to provide those services. We also may work with third parties, such as travel agencies and airlines. This Privacy Policy does not apply to information that you provide directly to this third parties.
  • We may share anonymized data with third parties’ providers in an anonymous way, which does not reveal Personal Data.
  • Also, if you connect to one of our social media pages, we may disclose some of your Personal Data to your friends associated with your social medial account, to other website users, and to your social media account provider, in connection with your social sharing activities. We may make reviews, message boards, blogs and other user-generated content available to users on our Services. Any information disclosed in these areas is public information and you should accordingly exercise caution when deciding to disclose your Personal Data in this context. We are not responsible for the privacy practices of other users including web operators to whom you provide information.
  • We may share your Personal Data to other partners, consultants and advisors who render services to us, including financial institutions, external auditors, lawyers, and credit card issuers.
  • We may sell our business, hotels and other assets or may cease managing a hotel or other property. In this case, we may include Personal Data collected about you, or control of that Personal Data, as a business asset in any such transfer. Additionally, we may disclose your Personal Data to a buyer or other successor in the event of a merger, sale or other transfer event, in which Personal Data held by us about our users is among the assets transferred.
  • In compliance with legal obligations, your Personal Data may be transmitted to authorized third parties, in particular to organizations, court officials and ministerial officers, as part of their debt collection mission.

Hotel du Cap-Eden-Roc does not sell, rent or share your Personal Data without your consent except in accordance with this Privacy Policy or for the purposes disclosed on any online form or location on the Services where you provide Personal Data to us. Hotel du Cap-Eden-Roc also does not engage in the sale of your Personal Data.

are-your-data-transferred-outside-brazil

8. Are your data transferred outside the EU and EEA?

Your Personal Data is hosted on secure servers and located within the European Union and the Economic European Area.

However, your Data may be transferred outside the EU and EEA, in particular when your Data will be processed by staff operating outside the EEA who work for us, for Oetker Collection, the Affiliates and other Owners or through our data processors processing data on our behalf.

As such, we would pay particular attention to ensuring that they process your Personal Data in strict compliance with the regulations in force on the Protection of Personal Data. If the latter are located in a country not subject to an adequacy decision by the European Commission, recognizing a level of protection equivalent to that provided by the European Union, a standard contract will be drawn up in order to comply with the model established by the European Commission.

protects-your-data-processing

9. How does Hotel du Cap-Eden-Roc secure the processing of your Data?

Hotel du Cap-Eden-Roc implements all technical, physical and organizational measures to ensure the security and confidentiality of your Personal Data during the collection, processing and transfer of your Data.

The infrastructures of Hotel du Cap-Eden-Roc are protected against malicious software (viruses, spyware, etc.). Physical and remote access to the servers hosting the Data is controlled. Penetration tests are performed, as well as regular backups with restore tests. The security of your terminal, from which you connect to our website, is your responsibility.

In the event that Hotel du Cap-Eden-Roc is likely to call on service providers to process part of your Personal Data, it undertakes to verify that they present sufficient guarantees to ensure the protection of the Personal Data entrusted to them and to make them sign confidentiality clauses in accordance with the legislation applicable to the Protection of the Personal Data.

In case of a Personal Data Breach, that is to say in the event of a security incident, whether malicious or not and occurring intentionally or not, resulting in compromising the integrity, the confidentiality, or the availability of your Personal Data, we undertake to comply with the obligations with the legislation applicable to the Protection of the Personal Data.

10. Cookies Policy

To know more about Cookies and how to manage them, please access our Cookies Policy.

 

social-media

11. Social Media

Hotel du Cap-Eden-Roc is present on Social Media, in particular via Instagram, Facebook, YouTube, WeChat, SINA Weibo, etc.

Access to these Social Media implies your prior acceptance of their contractual conditions, including their commitments under the legislation applicable to the protection of the Personal Data for the processing carried out by them, regardless of our pages on said Social Media. To find out more about the Protection of your Personal Data when browsing these Social Media, Hotel du Cap-Eden-Roc invites you to consult their respective Privacy Policies:

Hotel du Cap-Eden-Roc is able to collect some of your personal information when you browse the pages of our Social Media, when you “like” our pages, share content or follow us on Social Media.

Also, if you choose to log-in, connect with or link to Services using your Social Media account some of your Personal Data is shared with us consistent with your settings within the Social Media service, such as location, check-ins, activities, interests, photos, status updates, as well as Personal Data that may be a part of your profile or friend’s profile.

Hotel du Cap-Eden-Roc may be required, within the framework of the organization of contests, to collect your name, first name, date of birth, il necessary profile photograph, gender, networks, Social Media user ID, and any information made public and more generally Personal Data.

privacy-by-design

12. Privacy by Design/by Default

Hotel du Cap-Eden-Roc undertakes to integrate the protection of Personal Data by Design and by Default of a project, a service or any other tool related to the handling of Personal Data, in particular the minimization of Personal Data, limitation of the purposes of data collection, respect for the integrity and confidentiality of data, limitation of retention periods.

accountability

13. Accountability

In order to respect the principle of Accountability, Hotel du Cap-Eden-Roc:

  • adopts internal procedures in order to ensure compliance with the legislation applicable to the protection of the Personal Data (IT charter, Personal Data protection charter, etc.);
  • keeps a documentary record of any processing carried out under its responsibility or that of the processor (keeping of the processing register, confidentiality agreements for employees and service providers, company security policy, procedures for managing requests for access, rectification, opposition ...);
  • carries out Privacy Impact Assessments for processing operations presenting particular risks with regard to rights and freedoms.

The aim is to provide rich documentation to demonstrate compliance with Data Protection rules at all times.

Last update: 03rd March 2022

personal data