What is HotelKey prohibited from doing with the Controller's Personal Data for Even Hotels?

According to Even Hotels' 2025 Franchise Disclosure Document, HotelKey, as the Processor of Hotel Personal Data, faces specific restrictions regarding the use of this data. HotelKey is prohibited from retaining, using, or disclosing the Personal Data from the Controller for any commercial purpose other than providing services under the Agreement, using the Personal Data for operational purposes permitted by Privacy Laws, and using the Personal Data to comply with its legal obligations. This means HotelKey's use of the data must be directly related to fulfilling its contractual obligations to Even Hotels.

Furthermore, HotelKey cannot retain, use, or disclose Personal Data outside of its direct business relationship with the Controllers or "sell" or "share" the Personal Data as defined by the Privacy Laws. This provision ensures that HotelKey does not exploit the data for its own unrelated business purposes or transfer it to third parties without proper authorization. If HotelKey is legally required to disclose Personal Data to an entity outside the Agreement, it must inform both Even Hotels and IHG before making the disclosure, to the extent permitted by applicable Law.

These restrictions are designed to protect the privacy of Even Hotels' customers and ensure compliance with data protection laws. For a prospective Even Hotels franchisee, this means that the data processing arrangements with HotelKey are structured to safeguard customer information and limit the potential for misuse or unauthorized disclosure. Franchisees should ensure they understand the terms of the Agreement and Attachment 2-A, which further define the purposes for which HotelKey may process Personal Data.