This document is part of a set of regulations concerning Torre de Palma’s personal data protection in accordance with the General Data Protection Regulation (2016/679), herein referred to as GDPR.
In the future, whenever this document is subject to updates, a new version will become immediately available after its approval.
The enforcement of this policy will be ensured by the evaluation of control indicators and/or audits (internal or external) at regular intervals, or in the event of significant changes.
Scope and purpose
This policy was implemented to demonstrate Torre de Palma’s full commitment to and respect for privacy regulations and personal data protection.
Why this Privacy Policy?
This policy is established in order to disclose Torre de Palma’s general rules concerning privacy and personal data processing. We collect and handle this information with great respect and always in line with national and European legislation on this subject.
Torre de Palma is committed to the best practices in terms of security and personal data protection. Consequently, it has approved a strict programme to safeguard all data that is made available to Torre de Palma by all those who, in some way, are associated with it.
What is the scope of this Privacy Policy?
This policy applies solely to personal data collected and processed by Torre de Palma.
Addressees
This policy is addressed to the general public and to Torre de Palma clients in particular, and establishes obligations for all Torre de Palma’s staff members.
DEFINITIONS
Personal Data – All information about an identified or identifiable individual; individuals are identifiable when they may be directly or indirectly identified, through data such as name, ID number, place of residence, computerised data, but also by one or more specific elements regarding their identity in terms of physique, physiology, genetics, mind, economics, culture or social status.
Special categories – Personal data that reveals race or ethnicity, political opinions, religious or philosophical convictions, trade union affiliations, as well as processing data concerning genetic information, biometrics, health, sex life or sexual orientation.
Processing – The operation, or set of operations, by which personal data, or sets of personal data, are handled by automated or non-automated means, such as the collection, registration, organisation, structuring, conservation, adaptation or alteration, recovery, consultation, usage, dissemination, comparison or interconnection, shortening, deletion or destruction of information.
Liable party – An individual or group of individuals, authority, agency or any other body which, individually or in association with others, establishes the purpose and means to process personal data; whenever the purpose and means of processing are legally determined by the European Union or by a member-state, the appointment of such a party may be contemplated in the European Union or member-state’s law.
Violation of Personal Data – An accidental or unlawful security breach that results in the unauthorised destruction, loss, change, disclosure or access to personal data was transferred, stored or subjected to any other type of processing.
Outsourcing – An individual or group of individuals, authority, agency or any other body that treats personal data according to instructions issued by the person responsible for the data in question.
Third Party – An individual or group of individuals, authority, service or body that, although not the subjects or bodies responsible for processing the data, are authorised to act under the direct authority of the body in charge of processing.
PERSONAL DATA COLLECTION AND PROCESSING
Torre de Palma’s activity involves the collection, registration, organisation, archive, use and consultation of personal data. This may also involve other operations that, according to the General Data Protection Regulation, are called “personal data processing”.
Personal data collection regards staff members but also suppliers, clients and others.
Torre de Palma collects personal data, namely data that is necessary for reservations and invoicing, as well as personal data from staff members to comply with legal employment requirements.
Upon collecting personal data, Torre de Palma will supply data subjects with detailed information regarding the nature of the data collected and the use and processing it will entail, as well as information mentioned above regarding the right to access one’s personal data.
OUTSOURCING
Regarding personal data processing, Torre de Palma may outsource this activity to third parties that will process personal data on its behalf, and according to the instructions provided, in strict compliance with the law and this policy.
These outsourced entities cannot release or disclose data without Torre de Palma’s prior and written authorisation. They are also forbidden to outsource other entities without Torre de Palma’s prior authorisation.
Torre de Palma shall only outsource data processing to entities that offer the best guarantees in the implementation of adequate technical and organisational procedures, in order to ensure the protection of data subjects’ rights. All outsourced entities will remain legally bound by a written contract that establishes the purpose, duration, nature of processing, type of personal data and data categories, as well as the rights and obligations of both parties.
Upon collecting personal data, Torre de Palma will provide data subjects with information regarding the outsourced entity that, in each specific case, is authorised to process the data on its behalf.
DATA COLLECTION CHANNELS
Torre de Palma may collect data directly (i.e. directly from the subject) or indirectly (i.e. through partners or third parties). Data can be collected using the following channels:
Direct collection: in person, by telephone or email
Indirect collection: via partners or reservation companies, as well as official bodies.
GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING
Regarding the general principles of personal data processing, Torre de Palma ensures that the data processed will be:
Data processing by Torre de Palma is lawful when at least one of the following situations occurs:
The data subject has explicitly authorised the processing of his/her data for one, or more, specific purpose(s);
Torre de Palma ensures that data processing is only carried out under the circumstances mentioned above and in full compliance with the principles laid out.
When data processing is based on the subject’s consent, he/she also has the right to withdraw consent at any time. However, the withdrawal of consent does not jeopardise the lawfulness of data processed by Torre de Palma under the subject’s previous authorisation.
The length of time during which the data is stored depends on the purpose for which it is processed.
There are legal requirements stating that data must be stored for a minimum period of time. Therefore, and provided there are no specific legal requirements, data will only be stored for the minimum period of time necessary to achieve the purposes for which it was collected and subsequently processed. At the end of this period, the data will be deleted.
USE AND PURPOSE OF PERSONAL DATA PROCESSING
Overall, Torre de Palma uses personal data for purposes such as invoicing and billing of clients, marketing, human resources management and staff recruitment.
Personal data collected by Torre de Palma will not be shared with third parties, unless it has received the subject’s prior consent, with the exception of the situations mentioned below. However, in case the subject hires services provided by other entities other than Torre de Palma, the subject’s data may be consulted and accessed by these entities, inasmuch as this is necessary to provide the requested services.
Torre de Palma is legally permitted to convey or divulge personal data to other entities, in case this is necessary to perform a contract, or for pre-contractual diligences at the subject’s request, if this is required to fulfil a legal obligation that binds Torre de Palma, or if it is necessary to achieve Torre de Palma’s (or a third party’s) legitimate interests. If personal data is shared with a third party, Torre de Palma will ensure this entity shall use the data according to this policy.
TECHNICAL, ORGANISATIONAL AND SECURITY PROCEDURES
In order to guarantee personal data protection, Torre de Palma agrees to use it according to security and confidentiality policies and internal procedures. This information shall be updated on a regular basis, according to needs and pursuant to the legally established terms and conditions.
Given the nature, scope, context and purposes of data processing, and considering the risks this operation may entail regarding the subjects’ legal rights and freedoms, Torre de Palma agree to apply the adequate legal technical and organisational procedures for personal data protection, both at the time when processing procedures are set in place, as well as during the processing itself.
Torre de Palma also agrees to ensure that, by default, only the necessary data for each specific purpose is processed and that this data cannot be made available, without human intervention, to an unlimited number of people.
As such, Torre de Palma adopts the following general procedures:
DATA TRANSFER OUTSIDE THE EUROPEAN UNION
Personal data collected and used by Torre de Palma is not made available to third parties outside the European Union. If, in the future, the status quo changes and transfers take place, then Torre de Palma will ensure that the transfer observes all legal requirements, namely the other country’s adequate legal framework concerning data protection, as well as the requirements for such transfers.
B. RIGHTS OF DATA SUBJECTS
RIGHT TO INFORMATION
The information provided by Torre de Palma is listed below:
Procedures and measures implemented to comply with the right to information:
The information mentioned above shall be supplied in writing (including electronically) by Torre de Palma before processing personal data. According to Portuguese law, Torre de Palma is not obliged to supply this information to the data subject when, and to the extent that, the subject is already aware of it.
Information provided by Torre de Palma is not subject to payment.
RIGHT TO ACCESS ONE’S PERSONAL DATA
Torre de Palma will ensure the means by which data subjects can access their personal data.
Data subjects have the right to obtain information about the processing, or non-processing, of their personal data and, as such, the right to access their personal data and the following information:
If requested, Torre de Palma will provide the subject with a copy of the data that is being processed. Other copies may incur administrative costs.
RIGHT TO CORRECT ONE’S PERSONAL DATA
Data subjects have the right to request the correction of their personal data, as well as the completion of any incomplete personal data, by supplying an additional statement.
In case of data correction, Torre de Palma will share this information with data recipient, unless this reporting is impossible or implies an unreasonable effort by the hotel.
RIGHT TO DELETE ONE’S PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
Data subjects have the right to request that Torre de Palma deletes their data whenever one of the following situations takes place:
According to the applicable law, Torre de Palma is not obliged to delete subjects’ data if processing is necessary to fulfil a legal provision or for the purpose of a statement, exercise or defence of a right in court.
If data is deleted, Torre de Palma will inform each recipient/entity to whom the data was transferred to delete such data as well, unless this reporting is impossible or implies an unreasonable effort by Torre de Palma.
When Torre de Palma has made the data available to the public and is subsequently forced to delete it, under the subject’s right to have it deleted, Torre de Palma will ensure all the necessary procedures, including technical ones, considering the available technology and costs to apply it, to inform those in charge of data processing that the subject has requested his/her data be deleted, as well as any copies or reproductions.
RIGHT TO LIMIT THE USE OF ONE’S PERSONAL DATA
Data subjects have the right to limit Torre de Palma’s data processing if one of the following situations takes place (this limitation consists in including a mark/sign in the personal data kept by Torre de Palma to restrict the use of this data in the future):
When data processing has been limited, except for storage purposes, it can only be treated with the subject’s consent. It may also be used as a statement, exercise or defence of a right in court, to defend the rights of another person or entity, or for reasons of public interest.
Subjects who have limited data processing in the cases described above, will be informed by Torre de Palma before the request to limit processing is overruled.
In case data processing is limited, Torre de Palma will inform each recipient to whom the data was transferred of this limitation, unless this reporting is impossible or implies an unreasonable effort by Torre de Palma.
RIGHT OF PORTABILITY OF ONE’S PERSONAL DATA
The data subject has the right to obtain his/her personal data from Torre de Palma. This data must be delivered in a manner that is organised, easy to use and uncomplicated to read, and the subject has the right to transfer this data to another agent responsible for data processing if:
and
The right to portability does not include inferred or derived data, i.e. personal data that may be issued by Torre de Palma as a consequence or resulting from data processing analysis.
The data subject has the right to request that his/her personal data be directly communicated to the entities responsible for processing, whenever this is technically possible.
RIGHT TO OPPOSE PERSONAL DATA PROCESSING
Data subjects have the right to oppose their personal data processing whenever they wish, provided the reasons are associated with a specific situation, to the processing of data that is based on the exercise of Torre de Palma’s legitimate interests, or when the processing is performed for purposes other than those for which the data was collected, including profile definition or use for statistics.
Torre de Palma will cease personal data processing, unless there are imperative and legitimate reasons for processing that prevail over the interests, rights and freedoms of the subjects, or for the statement, exercise or defence of Torre de Palma’s rights in court.
When the subject’s data is treated for direct marketing, he/she has the right to oppose this use at any time, including for profile definition to the extent that this is associated with direct marketing. If this is the case, Torre de Palma will immediately cease to use the data for that purpose.
The data subject is also entitled to oppose any automated decision, including profile definition, which may affect the judicial sphere or similar, unless the decision:
PROCEDURES ON HOW TO EXERCISE ONE’S RIGHTS
The right to access, correct, delete, limit, transfer and oppose data processing may be exercised by the subject by filling out a form addressed to Torre de Palma.
Torre de Palma will reply in writing (including via computer) within 1 month (max) after the receiving the request, except in very complex cases, where this deadline may be extended for an additional month (2 months in total).
If requests are clearly unfounded or excessive, namely if they are repetitive, Torre de Palma reserves the right to charge administrative costs or refuse to pursue the matter.
PERSONAL DATA VIOLATION
In case of personal data violation and if this violation may involve a high risk for the fundamental rights and freedoms of the subject, Torre de Palma will notify the CNPD within the 72 hours following detection of the incident.
According to law, this notification is not necessary in the following situations:
C. FINAL CONSIDERATIONS
CHANGES TO PRIVACY POLICY
Torre de Palma is entitled to change this Privacy Policy if and when necessary. In this case, the date of the latest change, indicated in the footnote, will also be updated.
LAW AND JURISDICTION
The Privacy Policy, as well as the collection, processing and transfer of data belonging to an individual, are governed by the provisions in EU Regulation 2016/679, of the European Parliament and Council, of 27 April 2016, and by Portuguese law and regulations.