Marriott Group Privacy Statement for the Collection of Non-Employee and Non-Guest Personal Data

Last Updated: February 28, 2023

1. Introduction

The Marriott Group, which includes Marriott International, Inc. and its affiliates (“Marriott,” “we,” “our”), is committed to protecting the Personal Data it collects, stores and uses. This Privacy Statement covers Personal Data of individuals other than Marriott Associates, such as contractors, consultants, Franchise Hotel employees, business partners, and non-guests (“you,” “your”). For avoidance of doubt the Personal Data of Marriott Associates is covered by the Associate Personal Data Privacy Statement, and the Personal Data of guests is covered by the Marriott Group Global Privacy Statement, and not this Statement.

2. Purpose

The collection and use of your Personal Data enables Marriott to engage in business planning and operational processes, such as project implementation, providing training, and administering discount programs to others besides Marriott Associates and guests.

3. What Data Marriott Collects, Uses, Transfers and Shares, and Why

Marriott may have collected or will collect information about you and your relationship with Marriott. Marriott refers to such data as “Personal Data.” For more specific information regarding the Personal Data about you that Marriott may collect, use, transfer, and share, and the purposes for which it may be collected, used, transferred, and shared, please see the end of this Statement. Marriott will not use Personal Data for any purpose incompatible with the purposes described in this Statement, unless it is required or authorized by law, authorized by you, or is in your own vital interest (e.g., in the case of a medical emergency).

With the exception of certain Personal Data that is required by law, or is necessary or important to the performance of our business, your decision to provide Personal Data to Marriott is voluntary. However, if you do not provide certain required Personal Data, Marriott may not be able to accomplish some of the purposes outlined in this Statement.

4. Who Has Access to Your Personal Data

Access to Personal Data within Marriott will be limited to personnel with a business need to access Personal Data for the purposes described at the end of this Statement, and may include Marriott personnel in Human Resources, Lodging Development, Information Technology, Compliance, Legal, Finance and Accounting, and Internal Audit. Occasionally, Marriott may also need to make Personal Data available to owners of the Marriott Group-branded properties that we manage, or other, unaffiliated, third party service providers.

Third party service providers and owners are expected to protect the confidentiality and security of Personal Data, and only use Personal Data for the provision of services to Marriott, or in accordance with agreements, and in compliance with applicable law.

5. Security

Marriott will take appropriate measures to protect Personal Data, consistent with applicable privacy and data security laws and regulations, including requiring service providers to use appropriate measures to protect the confidentiality and security of Personal Data.

6. Data Integrity and Retention

We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Statement unless a longer retention period is required or permitted by law.

The criteria used to determine our retention periods include:

• The length of time we have an ongoing relationship with you
• Whether there is a legal obligation to which we are subject
• Whether retention is advisable considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations)

7. Individual Rights Requests

Please contact privacy@marriott.com if you have any questions or concerns about how Marriott processes Personal Data; if you wish to request access, correction, suppression, or deletion of your Personal Data; if you wish to request that Marriott cease using your Personal Data; or if you would like to request an electronic copy of your Personal Data for purposes of transmitting it to another company. Marriott will respond consistent with applicable law. Please note, however, that certain Personal Data may be exempt from these requests pursuant to applicable data protection laws or other laws and regulations.

8. Your Obligations

Please keep Personal Data current and inform us of any significant changes to Personal Data. You agree to inform others whose Personal Data you provide to Marriott about the content of this Statement, and to obtain their consent (provided they are legally competent to give consent) for the use (including transfer and disclosure) of that Personal Data by Marriott as set out in this Statement, or as required by applicable law.

9. Reasons and Basis for Collection, Use, Transfer and Disclosure

Marriott collects and processes data about you: (i) because we are required to do so by applicable law; (ii) because such data is of particular importance to us and we have a specific legitimate interest under law to process it; (iii) because such data is necessary to fulfill a contract; or (iv) where necessary to protect the vital interests of any person. Marriott’s legitimate interest in collecting and processing Personal Data is detailed at the end of this notice and includes, for example:(1) to administer and generally conduct business within Marriott; (2) to ensure that our networks and data are secure; and (3) to prevent fraud. Where this reason does not apply, your decision to provide Personal Data to Marriott is voluntary, and we will process such data with your consent, which you may withdraw at any time.

10. Transfers and Use of Personal Data in the European Economic Area (EEA)

Due to the global nature of Marriott operations, Marriott may, through the internet and Marriott’s networks, share Personal Data with personnel and departments throughout Marriott to fulfill the purposes described at the end of this Statement. This may include transferring Personal Data to other countries or regions (including countries or regions other than where you are based and that have a different data protection regime than is found in the country where you are based). A list of the Marriott Group affiliated companies that may process and use Personal Data is available here.

We may transfer Personal Data to countries located outside of the European Economic Area (“EEA”). Some of these countries are recognized by the European Commission as providing an adequate level of protection according to EEA standards (the full list of these countries is available here). For transfers from the EEA to other countries, we have put in place adequate measures, Data Transfer Agreements and/or Standard Contractual Clauses to protect your data.

11. Data Protection Officer Contact Information and Complaints

If you have any questions or concerns, please initiate your request with your corporate representative. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data.

If you are not satisfied, you may contact the data protection officer responsible for your country or region via MarriottDPO@marriott.com. In your email, please indicate the country in which you are located. Additionally, you may lodge a complaint with a data protection authority for your country or region or where an alleged infringement of applicable data protection laws has occurred at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

12. Changes to the Statement

Marriott reserves the right to amend this Statement at any time in order to address future business developments or changes in the industry or legal trends. Marriott will post the revised Statement on Marriott Global Source (MGS) or announce the change on the home page of this website. You can determine when the Statement was revised by referring to the “Last Updated” legend at the top of this Statement.

Types of Personal Data Marriott May Collect, Use, Transfer and Share

• Personal Details: Name, associate identification number, work and home or residential contact details (email, phone numbers, postal address) language(s) spoken, gender, date and place of birth, national identification number, social security number, nationality, marital/civil partnership status, domestic partners, dependents, disability status, emergency contact information and photograph. 
• Position: Internal descriptor used to support course offerings.
• System and Application Access Data: Data required to access Marriott systems and applications such as System ID, LAN ID, mHUB, email account, instant messaging account, mainframe ID, and electronic content produced using Marriott systems.
• Sensitive Personal Data: Marriott may also collect certain types of sensitive data only when permitted by local law, such as biometric, health/medical data, trade union membership information, religion and race or ethnicity. Marriott collects this data for specific purposes, such as health/medical information to accommodate a disability or illness and to provide benefits; religion or church affiliation in countries such as Germany where required for statutory tax deductions; and diversity-related Personal Data (such as gender, race or ethnicity) to comply with legal obligations and internal policies relating to diversity and anti discrimination. Marriott will only use such sensitive data for the purposes listed below and as provided by law.

The Purposes for which Marriott May Collect, Use, Transfer and Share Personal Data

• Communications and Security: Facilitating communications and safeguarding and maintaining IT infrastructure by using various security tools, office equipment, facilities and other property.
• Business Operations: Operating and managing the IT, communications systems, and facilities, managing product and service development, improving products and services, managing Marriott assets, project management, business continuity, offering services and benefits, and maintaining records relating to business activities.
• Compliance: Complying with legal and other requirements applicable to Marriott’s business in all countries or regions in which Marriott operates, record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims (including those received through the hotlines), conducting investigations including reported allegations of wrongdoing, policy violations, fraud, financial reporting concerns, and complying with internal policies and procedures.
• Monitoring: Monitoring of email and other Marriott-owned resources, and other monitoring activities as permitted by local law. Please note that electronic communications, such as emails from Marriott-provided electronic communication services and the Marriott network, do not grant personal, privileged, or confidential status or rights in such communications to the sender, recipient, or user of such messages. There is no right to privacy or to assert any privileges with respect to such electronic communications. Marriott reserves the right to access, monitor, review, copy, and/or delete any such electronic communications. Marriott also reserves the right to assert privileged or confidential status or rights in such communications as permitted by law.

The Categories of Unaffiliated Third Parties with whom Marriott May Share Personal Data

• Service Providers: Companies that provide products and services to Marriott such as, human resources services, expense management, IT systems suppliers and support, trade bodies and associations, accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors and service providers.
• Public and Governmental Authorities: Entities that regulate or have jurisdiction over Marriott such as regulatory authorities, law enforcement, public bodies, and judicial bodies.