1.1 MARKETING, PROFILING AND LOYALTY PROGRAM

By signing up for our loyalty programs (Hey Neighbor and Brøchner Friends,), you consent to our processing of the following personal information on you: name, email and postal code for Hey Neighbor program, for the purpose of analyzing which products and services you may be interested in so that we can send relevant and targeted offers, discounts, updates on Brøchner Hotels and newsletters (marketing materials) to you by email based on such an analysis.

In connection with the above, we process the following types of personal data: [your name, email address and postal code].

We will retain your purchase history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in.

Also, we collect and process personal data on you (including: name, email and postal code), if you enroll in one of our loyalty or marketing programs. We process the personal data on how and how often you use our loyalty program (called "Brøchner Friends") and other programs such as "Neighbors" and/or "STAMP program". We process this information in order to create loyalty and create benefits for you by choosing us.

The legal basis for the above processing is GDPR art. 6(1)(a), cf. the Danish Data Protection Act art. 6(1), since you consent to such processing of your personal data in connection with profiling and marketing.

You can withdraw your consent to the above processing, including to receive our newsletter emails, at any time following the procedure specified in section 6 ("Your Rights"). Your withdrawal of your consent will not affect the lawfulness of our processing prior to the withdrawal.

1.2 STATISTICS

We transfer the following personal data to statistics: name and email. This processing is carried out in order for us to improve our products and services, assess our general performance and to develop new products and services, special offers and other business-related initiatives.

The legal basis for the above processing (the transfer of your personal data to statistical information) is our legitimate interests, cf. GDPR art. 6(1)(f), cf. the Danish Data Protection Act art. 6(1). These legitimate interests include:

• Improvement of our products and services, including the user experience on our website
• Assess our general performance
• Development of new products and services, special offers and other business-related initiatives

2.1 We will not sell or disclose Guests, Customers or Visitors personal data to third party, persons or businesses.

2.2 We will share your personal data with the following categories of recipients:

• Data processors and vendors that help us deliver our products and services to you.
• Companies within the Brøchner Hotels Group
• Public authorities, if relevant and applicable
• Advisors to Brøchner Hotels

2.3 We will share your personal data if required by law and official authorities or to protect ourselves and other customers. For example, if your personal data is required in court or based on fraud investigation.

3.1 We do not transfer your personal data outside of EU/EEA.

4.1 Your personal information will be retained for as long as is necessary to carry out the purposes set out in this privacy policy (unless a longer retention period is required by applicable law).

4.2 Financial/accounting data will be kept for [five years] after the end of the financial year the data relates to (cf. the Danish Bookkeeping Act).

5.1 Access to Personal Data is restricted to authorized personnel who have a legitimate business purpose for accessing and processing your Personal Data.

6.1 You can always exercise your rights pursuant to the GDPR chapter III by requesting so to us through the contact details set out in section 8.

6.2 Your rights include e.g.:

• Your right to access your personal data
• Your right to rectification, if you believe that any information we hold about you is incorrect or incomplete
• Your right to request erasure (including the right to be forgotten) under certain circumstances as specified in GDPR
• Your right to request the restriction of the processing of your personal data under certain circumstances as specified in GDPR
• Your right to data portability under certain circumstances as specified in the GDPR (i.e. the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format and to request the transmission of such personal data to a third party with respect to the limitations and obligations set out in the GDPR)
• Your right to object to the processing of your Personal Data under certain circumstances as specified in GDPR

You can read more about data protection law and your rights on the webpage of Datatilsynet: www.datatilsynet.dk.

6.3 The Parties will process that request in line with any local laws and its policies and procedures in place for dealing with such requests.

6.4 You can also withdraw your consent to receive our newsletter emails (and other processing based on consent) at any time (without affecting the lawfulness of the processing prior to the withdrawal). [This is done by contacting us using the contact information provided below in section 8]. It will take effect immediately.

6.5 You have the right to file a complaint with the Danish Data Protection Authority (Datatilsynet) if you have reason to believe that processing of your personal data does not comply with applicable data protection law. The contact information of Datatilsynet is specified in section 9.

6.6 According to the applicable data protection law we are, if appropriate, obligated to inform whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data. In this context, please note that the main part of the personal data referred to in this document is processed by us in order to enter into and manage an agreement/booking and is thus based on the performance of a contract – see GDPR art. 6(1)(b). If we are not able to process such personal data, we are most likely not able to confirm and management your stay with us, etc.

7.1 The Privacy Policy is subjected to versioning and it will be updated regularly. Any updates will be will notified to you in advance through our website (via pop-up or otherwise) and through our communication channels (e.g. by email, if available/applicable). Also, Guests, Customers and Visitors are obliged to read and understand our Privacy Policy while visiting our website and if making a reservation. By submitting your personal data through our channels, you are agreeing that you have read and understood our Privacy Policy.

7.2 We do not collect personal data on children under 18 years of age without the permission of their parents or a guardian.

8.1 You can contact us at:

Brøchner Hotels A/S

Sankt Peders Stræde 30C

1453 København K

Company registration no.: [35 47 46 76]

Telephone: +45 (33 95 77 00)

Email: privacy@brochner-hotels.dk

8.2 If you wish to complain about our processing of your personal data, you can file a complaint to the Danish Data Protection Agency (Datatilsynet) being the supervisory authority. The contact details are set forth below:

Datatilsynet

Borgergade 28, 5

DK-1300, Copenhagen K

Telephone: +45 (33 19 32 00)

E-mail: dt@datatilsynet.dk