PRIVACY POLICY
Your Privacy Matters
This Privacy Notice explains how FIVE Hotels & Resorts (“FIVE”, “we”, “us”, “our”) collects and uses personal data of guests, website visitors, applicants, and other individuals interacting with our services.
This notice has been prepared in accordance with:
- EU General Data Protection Regulation (GDPR)
- UAE Federal Decree-Law No.45 of 2021 (UAE PDPL)
- Dubai International Financial Centre Data Protection Law No.5 of 2020 (DIFC DP Law)
- Swiss Federal Act on Data Protection (revFADP)
- Applicable U.S. state laws including the New York SHIELD Act
FIVE acts as a data controller and is accountable to relevant supervisory authorities depending on jurisdiction.
Where personal data is collected or processed by third-party platforms or partners, such parties may act as independent controllers for their respective processing activities.
1. Data Controllers
UAE Properties
FIVE Hotel FZE
PO Box 6438, Palm Jumeirah
Dubai, United Arab Emirates
Spain / EU
UNIVERSO PACHA, S.A. (Data Controller)
Avenida Ocho de Agosto 27, 07800,
Ibiza, Spain
N.I.F.: A-87.753.935
lopd@pacha.com
Switzerland
FIVE Zurich AG
Pfingstweidstrasse 102
8005 Zurich, Switzerland
Swiss Data Protection Advisor (revFADP Art.10):
dpo@fiveglobalholdings.com
Group Data Protection Officer
dpo@fiveglobalholdings.com
2. How We Collect Personal Data
2.1 Data Collected Directly (GDPR Art.13)
We collect personal data when you:
- make reservations or stay with us
- use our website
- communicate with our teams
- subscribe to marketing communications
- apply for employment
2.2 Data Obtained Indirectly (GDPR Art.14)
We may receive personal data from:
- online travel agencies (e.g., Booking.com, Agoda)
- restaurant reservation platforms
- event ticketing providers
- travel agents or corporate partners
- social media platforms
Where bookings are made through online travel agencies or reservation platforms, personal data is provided to FIVE by those platforms in accordance with the booking arrangement.
3. Categories of Personal Data
- Identity & Contact Data
- Booking & Stay Information
- Financial Data
- Website & Technical Data
- Communications Data
- Recruitment Data
Special Categories
Where necessary we may process:
- health or accessibility information
- dietary or religious preferences
- biometric access credentials used solely for secure access control
Such data is processed only where strictly necessary for service provision, legal compliance, or where voluntarily provided by the individual.
Biometric processing relies on:
- GDPR Art.6(1)(a) consent
- GDPR Art.9(2)(a) explicit consent
Biometric data, where implemented, is stored in encrypted form and used solely for access authentication and not for identification, profiling, or surveillance purposes.
No facial recognition is used.
CCTV & Safety Monitoring
Video surveillance operates for safety, fraud prevention, and operational security.
4. Purposes and Legal Bases
| Processing Purpose
|
Legal Basis |
|---|---|
| Managing reservations and guest stays
|
Performance of contract
|
| Operational guest messaging (including WhatsApp pre-arrival coordination and service updates)
|
Contract performance
|
| Promotional messaging and marketing
|
Consent
|
| Identity verification, passport scanning, and regulatory guest registration required by local tourism or law-enforcement obligations
|
Legal obligation
|
| Personalised services and analytics
|
Legitimate interests
|
| Fraud prevention, cybersecurity and CCTV monitoring
|
Legitimate interests
|
| Recruitment and candidate evaluation | Legitimate interests & pre-contract steps
|
Guest identification information may be transmitted to competent public authorities where required by applicable laws governing guest registration and security reporting.
Where processing is based on legitimate interests, FIVE undertakes balancing assessments to ensure such interests do not override individuals’ fundamental rights and freedoms.
5. Profiling and Personalisation
We may analyse booking history or preferences to personalise services and communications.
You may object to marketing profiling at any time.
Guests may opt out of promotional communications using unsubscribe options or consent tools available on our website.
6. Automated Decision-Making
FIVE does not carry out solely automated decisions producing legal or similarly significant effects. Human oversight remains in place.
7. Marketing Communications
We do not sell personal data for monetary consideration.
Marketing communications may be sent where permitted by applicable law, including on the basis of consent or, where appropriate, legitimate interests in relation to existing customer relationships.
Individuals may opt out of marketing communications at any time using unsubscribe options provided in communications or through the consent settings available on our website. Where consent is relied upon, you may withdraw consent at any time.
Where marketing activities involve third-party platforms (such as social media or advertising networks), those platforms may process personal data in accordance with their own privacy policies and may act as independent controllers for certain processing activities.
8. Data Retention
| Data Type
|
Retention Period
|
|---|---|
| Guest stay records
|
up to 7 years
|
| Payment data
|
up to 7 years
|
| CCTV footage
|
up to 30 days
|
| Website logs
|
up to 90 days
|
| Applicant data
|
up to 12 months
|
| Biometric credentials
|
duration of authorised access only
|
9. Sharing and Processors
We may share personal data with service providers supporting our operations, including reservation platforms, enterprise systems, cloud hosting providers, payment processors, analytics providers, and marketing platforms.
All processors are contractually required to protect personal data
10. International Data Transfers
Personal data may be transferred to:
- EU / EEA
- Switzerland
- UAE
- United States
Where required by applicable law, international transfers are supported by appropriate safeguards which may include:
- Standard Contractual Clauses (SCCs)
- Swiss-adapted SCCs or FDPIC adequacy decisions
- EU-U.S. Data Privacy Framework (DPF) where providers are certified
11. Cookies and Tracking
Please refer to our Cookie Policy for detailed information.
12. Data Security
FIVE implements reasonable technical and organisational measures intended to protect personal data, however no system can guarantee absolute security. Security measures are regularly reviewed.
13. Data Breaches
Where required by law, FIVE notifies regulators and affected individuals under GDPR, UAE PDPL, DIFC DP Law, Swiss revFADP, and U.S. state breach laws.
14. Your Privacy Rights
| Right
|
EU GDPR
|
UAE PDPL
|
Swiss revFADP
|
U.S.
|
|---|---|---|---|---|
| Access
|
✔
|
✔
|
✔
|
✔
|
| Rectification
|
✔
|
✔
|
✔
|
✔
|
| Erasure
|
✔
|
✔
|
✔
|
Partial
|
| Restriction
|
✔
|
—
|
✔
|
—
|
| Portability
|
✔
|
Limited
|
Limited
|
—
|
| Object to profiling
|
✔
|
✔
|
✔
|
—
|
| Withdraw consent
|
✔
|
✔
|
✔
|
✔
|
Contact: dpo@fiveglobalholdings.com
15. Authorities and Complaints
You may contact:
- UAE Data Office
- DIFC Commissioner of Data Protection
- Agencia Española de Protección de Datos (Spain)
- Swiss FDPIC
- Relevant EU supervisory authority
- U.S. residents may contact the New York Attorney General regarding SHIELD Act breach rights.
16. Social Media Joint Controllers
Where social media integrations or advertising pixels are used, FIVE determines marketing purposes and acts as the primary contact for rights requests.
17. Third-party Websites
This Privacy Notice does not apply to third-party websites or platforms linked from our services. FIVE is not responsible for the privacy practices or content of such third parties.
18. Children’s Privacy
Services are not directed to children under 18 except where bookings are made by a parent or guardian.
19. Updates
Version 2.0 — March 2026
20. Contact
Data Protection Officer
FIVE Hotels & Resorts
PO Box 6438, Palm Jumeirah
Dubai, UAE
dpo@fiveglobalholdings.com
