Please note, your browser is out of date.
For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.

Privacy Policy

Privacy Policy

General Data Protection Regulation

A. GENERAL INFORMATION 

INTRODUCTION

This document is part of a set of regulations concerning Sentidos Beach Retreat’s personal data protection in accordance with the General Data Protection Regulation, herein referred to as GDPR.

In the future, whenever this document is subject to updates, a new version will become immediately available after its approval.

The enforcement of this policy will be ensured by the evaluation of control indicators and/or audits (internal or external) at regular intervals, or in the event of significant changes.

Scope and purpose

This policy was implemented to demonstrate Sentidos Beach Retreat’s full commitment to and respect for privacy regulations and personal data protection.

Why this Privacy Policy?

This policy is established in order to disclose Sentidos Beach Retreat’s general rules concerning privacy and personal data processing. We collect and handle this information with great respect and always in line with national legislation on this subject.

Sentidos Beach Retreat is committed to the best practices in terms of security and personal data protection. Consequently, it has approved a strict programme to safeguard all data that is made available to Sentidos Beach Retreat by all those who, in some way, are associated with it.

What is the scope of this Privacy Policy?

This policy applies solely to personal data collected and processed by Sentidos Beach Retreat.

Addressees

This policy is addressed to the general public and to Sentidos Beach Retreat clients in particular and establishes obligations for all Sentidos Beach Retreat’s staff members.

Definitions

Personal data – All information about an identified or identifiable individual; individuals are identifiable when they may be directly or indirectly identified, through data such as name, ID number, place of residence, computerised data, but also by one or more specific elements regarding their identity in terms of physique, physiology, genetics, mind, economics, culture or social status.

Special categories – Personal data that reveals race or ethnicity, political opinions, religious or philosophical convictions, trade union affiliations, as well as processing data concerning genetic information, biometrics, health, sex life or sexual orientation.

Processing – The operation, or set of operations, by which personal data, or sets of personal data, are handled by automated or non-automated means, such as the collection, registration, organization, structuring, conservation, adaptation or alteration, recovery, consultation, usage, dissemination, comparison or interconnection, shortening, deletion or destruction of information.

Liable party – An individual or group of individuals, authority, agency or any other body which, individually or in association with others, establishes the purpose and means to process personal data.

Violation of Personal Data – An accidental or unlawful security breach that results in the unauthorized destruction, loss, change, disclosure or access to personal data was transferred, stored or subjected to any other type of processing.

Outsourcing – An individual or group of individuals, authority, agency or any other body that treats personal data according to instructions issued by the person responsible for the data in question.

Third-Party – An individual or group of individuals, authority, service or body that, although not the subjects or bodies responsible for processing the data are authorized to act under the direct authority of the body in charge of processing.

PERSONAL DATA COLLECTION AND PROCESSING

Sentidos Beach Retreat’s activity involves the collection, registration, organization, archive, use and consultation of personal data. This may also involve other operations that, according to the General Data Protection Regulation, are called “personal data processing”.

Personal data collection regards staff members but also suppliers, clients and others.

Sentidos Beach Retreat collects personal data, namely data that is necessary for reservations and invoicing, as well as personal data from staff members to comply with legal employment requirements.

Upon collecting personal data, Sentidos Beach Retreat will supply data subjects with detailed information regarding the nature of the data collected and the use and processing it will entail, as well as information mentioned above regarding the right to access one’s personal data.

OUTSOURCING

Regarding personal data processing, Sentidos Beach Retreat may outsource this activity to third parties that will process personal data on its behalf, and according to the instructions provided, in strict compliance with the law and this policy.

These outsourced entities cannot release or disclose data without Sentidos Beach Retreat’s prior and written authorization. They are also forbidden to outsource other entities without Sentidos Beach Retreat’s prior authorization.

Sentidos Beach Retreat shall only outsource data processing to entities that offer the best guarantees in the implementation of adequate technical and organizational procedures, in order to ensure the protection of data subjects’ rights. All outsourced entities will remain legally bound by a written contract that establishes the purpose, duration, nature of the processing, type of personal data and data categories, as well as the rights and obligations of both parties.

Upon collecting personal data, Sentidos Beach Retreat will provide data subjects with information regarding the outsourced entity that, in each specific case, is authorized to process the data on its behalf.

DATA COLLECTION CHANNELS

Sentidos Beach Retreat may collect data directly (i.e. directly from the subject) or indirectly (i.e. through partners or third parties). Data can be collected using the following channels:

Direct collection: in person, by telephone or email

Indirect collection: via partners or reservation companies, as well as official bodies.

GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING

Regarding the general principles of personal data processing, Sentidos Beach Retreat ensures that the data processed will be:

  • the subject of lawful, legal and transparent processing;
  • collected for specific, explicit and legitimate ends, and shall never be subsequently misused;
  • adequate, pertinent and restricted to what is strictly necessary for the purpose for which it is being treated;
  • precise and updated whenever necessary, taking all adequate measures to ensure that inaccurate data, considering the purposes for which it is processed, is immediately deleted or corrected;
  • stored in a manner that only enables identification of data subjects during the period strictly required for that purpose;
  • processed in a manner that ensures its security, including protection from unauthorized or unlawful processing, as well as preventing loss, destruction or accidental damage, applying all adequate technical and organizational measures;

 

Data processing by Sentidos Beach Retreat is lawful when at least one of the following situations occurs:

The data subject has explicitly authorised the processing of his/her data for one, or more, specific purpose(s);

  • Data processing is necessary to perform a contract where the data subject is one of the parties, or for pre-contractual diligences at the subject’s request;
  • Data processing is required to fulfil a legal obligation by which Sentidos Beach Retreat is bound;
  • Data processing is necessary to protect the vital interests of the subject or any other individual;
  • Data processing is necessary to pursue the legitimate interests of Sentidos Beach Retreat or any third parties, (unless the interests or fundamental rights and freedoms of data subjects prevail over the data processing).
  • Sentidos Beach Retreat ensures that data processing is only carried out under the circumstances mentioned above and in full compliance with the principles laid out.

 

When data processing is based on the subject’s consent, he/she also has the right to withdraw consent at any time. However, the withdrawal of consent does not jeopardize the lawfulness of data processed by Sentidos Beach Retreat under the subject’s previous authorization.

The length of time during which the data is stored depends on the purpose for which it is processed.

There are legal requirements stating that data must be stored for a minimum period of time. Therefore, and provided there are no specific legal requirements, data will only be stored for the minimum period of time necessary to achieve the purposes for which it was collected and subsequently processed. At the end of this period, the data will be deleted.

USE AND PURPOSE OF PERSONAL DATA PROCESSING

Overall, Sentidos Beach Retreat uses personal data for purposes such as invoicing and billing of clients, marketing, human resources management and staff recruitment.

Personal data collected by Sentidos Beach Retreat will not be shared with third parties, unless it has received the subject’s prior consent, with the exception of the situations mentioned below. However, in case the subject hires services provided by other entities other than Sentidos Beach Retreat, the subject’s data may be consulted and accessed by these entities, inasmuch as this is necessary to provide the requested services.

Sentidos Beach Retreat is legally permitted to convey or divulge personal data to other entities, in case this is necessary to perform a contract, or for pre-contractual diligences at the subject’s request, if this is required to fulfil a legal obligation that binds Sentidos Beach Retreat, or if it is necessary to achieve Sentidos Beach Retreat’s (or a third party’s) legitimate interests. If personal data is shared with a third party, Sentidos Beach Retreat will ensure this entity shall use the data according to this policy.

TECHNICAL, ORGANISATIONAL AND SECURITY PROCEDURES

In order to guarantee personal data protection, Sentidos Beach Retreat agrees to use it according to security and confidentiality policies and internal procedures. This information shall be updated on a regular basis, according to needs and pursuant to the legally established terms and conditions.

Given the nature, scope, context and purposes of data processing, and considering the risks this operation may entail regarding the subjects’ legal rights and freedoms, Sentidos Beach Retreat agree to apply the adequate legal technical and organizational procedures for personal data protection, both at the time when processing procedures are set in place, as well as during the processing itself.

Sentidos Beach Retreat also agrees to ensure that, by default, only the necessary data for each specific purpose is processed and that this data cannot be made available, without human intervention, to an unlimited number of people.

As such, Sentidos Beach Retreat adopts the following general procedures:

  • Regular audits to assess the quality of the implemented procedures;
  • The general awareness and training of staff members involved in data processing;
  • Mechanisms that ensure the constant confidentiality, availability and resilience of Sentidos Beach Retreat’s information systems;
  • Mechanisms that can recover information systems as well as access to personal data in a timely fashion, in case of a physical or technical incident.

 

B. RIGHTS OF DATA SUBJECTS

RIGHT TO INFORMATION

The information provided by Sentidos Beach Retreat is listed below:

  • Sentidos Beach Retreat’s identity and contacts and, whenever possible, the name of the person in charge of data processing;
  • Purposes of the data processing and, if applicable, the legal grounds for this operation;
  • If the data processing is based on Sentidos Beach Retreat’s legitimate interests or those of a third party, these interests must be specified;
  • If applicable, the recipient, or categories of recipients of the personal data;
  • Personal data retention period;
  • The right to access one’s personal data, and in so doing, the right to order its correction, deletion or limitation; as well as the right to oppose data processing and the right to data portability;
  • If the data processing is based on the subject’s consent, the right to withdraw this consent at any time, without jeopardizing the lawfulness of the processing carried out based on previously given consent;
  • The right to lodge a complaint with the authority;
  • The right to be informed if imparting personal data is, or is not, a legal or binding obligation or a prerequisite to perform a contract, as well as whether the subject is obliged to supply his/her personal data and the likely consequences of not supplying such data;
  • If applicable, the existence of automated decisions, including the definition of a profile and its underlying logic, as well as the importance and likely consequences of such processing;
  • Aside from the information mentioned above, if personal data is obtained from sources other than the data subject, Sentidos Beach Retreat is obliged to inform the subject of the different personal data categories subject to processing, their origin, and if they may derive from sources available to the general public;
  • If Sentidos Beach Retreat intends to process personal data for purposes other than those for which data was been collected, before the operation takes place the hotel will supply the subject with information in that regard, as well as any other relevant information, in the abovementioned terms.

 

Procedures and measures implemented to comply with the right to information:

The information mentioned above shall be supplied in writing (including electronically) by Sentidos Beach Retreat before processing personal data.

Information provided by Sentidos Beach Retreat is not subject to payment.

RIGHT TO ACCESS ONE’S PERSONAL DATA

Sentidos Beach Retreat will ensure the means by which data subjects can access their personal data.

Data subjects have the right to obtain information about the processing, or non-processing, of their personal data and, as such, the right to access their personal data and the following information:

  • The purposes of processing personal data;
  • The different categories of the personal data in question;
  • The recipients or categories of recipients with whom the personal data was or shall be shared, namely recipients in other countries or belonging to international organisations;
  • Personal data retention period;
  • The right to request the correction, deletion or limitation of personal data, as well as the right to oppose processing;
  • The right to lodge a complaint with the authority;
  • The right to be informed of the data’s origin if it was not collected from the subject;
  • The right to be informed of automated decisions, including profile definition, and information regarding the underlying logic, as well as the importance and likely consequences of such processing;
  • The right to be informed of the adequate guarantees associated with data transfer to foreign countries or international organisations.

If requested, Sentidos Beach Retreat will provide the subject with a copy of the data that is being processed. Other copies may incur administrative costs.

RIGHT TO CORRECT ONE’S PERSONAL DATA

Data subjects have the right to request the correction of their personal data, as well as the completion of any incomplete personal data, by supplying an additional statement. 

In the case of data correction, Sentidos Beach Retreat will share this information with data recipient, unless this reporting is impossible or implies an unreasonable effort by the hotel.

RIGHT TO DELETE ONE’S PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)

Data subjects have the right to request that Sentidos Beach Retreat deletes their data whenever one of the following situations takes place:

  • The subject’s data is no longer necessary for the purpose determined in its collection or processing;
  • The subject withdraws his/her consent, and there are no legal grounds to justify the operation;
  • The subject refuses data processing based on his/her right to oppose this operation and the lack of prevailing legitimate interests to justify the processing;
  • In case the data is unlawfully processed;
  • If the data must be deleted to fulfil a legal obligation to which Sentidos Beach Retreat is bound.

According to the applicable law, Sentidos Beach Retreat is not obliged to delete subjects’ data if the processing is necessary to fulfil a legal provision or for the purpose of a statement, exercise or defence of a right in court.

If data is deleted, Sentidos Beach Retreat will inform each recipient/entity to whom the data was transferred to delete such data as well, unless this reporting is impossible or implies an unreasonable effort by Sentidos Beach Retreat.

When Sentidos Beach Retreat has made the data available to the public and is subsequently forced to delete it, under the subject’s right to have it deleted, Sentidos Beach Retreat will ensure all the necessary procedures, including technical ones, considering the available technology and costs to apply it, to inform those in charge of data processing that the subject has requested his/her data be deleted, as well as any copies or reproductions.

RIGHT TO LIMIT THE USE OF ONE’S PERSONAL DATA

Data subjects have the right to limit Sentidos Beach Retreat’s data processing if one of the following situations takes place (this limitation consists in including a mark/sign in the personal data kept by Sentidos Beach Retreat to restrict the use of this data in the future):

  • If the accuracy of the personal data is contested within a period that enables Sentidos Beach Retreat to verify its accuracy;
  • If the data processing is unlawful and the data subject opposes deletion data, requesting, in return, the limitation of its use:
  • If Sentidos Beach Retreat no longer needs the data for processing purposes, but the data is requested by the subject to be used as a statement, exercise or defence of a right in court;
  • If the subject has opposed the data processing, but Sentidos Beach Retreat’s legitimate reasons prevail over those of the subject.

When data processing has been limited, except for storage purposes, it can only be treated with the subject’s consent. It may also be used as a statement, exercise or defence of a right in court, to defend the rights of another person or entity, or for reasons of public interest.

Subjects who have limited data processing in the cases described above will be informed by Sentidos Beach Retreat before the request to limit processing is overruled.

In case of data processing is limited, Sentidos Beach Retreat will inform each recipient to whom the data was transferred to this limitation unless this reporting is impossible or implies an unreasonable effort by Sentidos Beach Retreat.

RIGHT OF PORTABILITY OF ONE’S PERSONAL DATA

The data subject has the right to obtain his/her personal data from Sentidos Beach Retreat. This data must be delivered in a manner that is organized, easy to use and uncomplicated to read, and the subject has the right to transfer this data to another agent responsible for data processing if:

  • This processing is based on the subject’s consent or on a contract where the subject is one of the parties;

and

  • The processing is performed using a computer.

The right to portability does not include inferred or derived data, i.e. personal data that may be issued by Sentidos Beach Retreat as a consequence or resulting from data processing analysis.

The data subject has the right to request that his/her personal data be directly communicated to the entities responsible for processing, whenever this is technically possible.

RIGHT TO OPPOSE PERSONAL DATA PROCESSING

Data subjects have the right to oppose their personal data processing whenever they wish, provided the reasons are associated with a specific situation, to the processing of data that is based on the exercise of Sentidos Beach Retreat’s legitimate interests, or when the processing is performed for purposes other than those for which the data was collected, including profile definition or use for statistics.

Sentidos Beach Retreat will cease personal data processing unless there are imperative and legitimate reasons for processing that prevail over the interests, rights and freedoms of the subjects, or for the statement, exercise or defence of Sentidos Beach Retreat’s rights in court.

When the subject’s data is treated for direct marketing, he/she has the right to oppose this use at any time, including for profile definition to the extent that this is associated with direct marketing. If this is the case, Sentidos Beach Retreat will immediately cease to use the data for that purpose.

The data subject is also entitled to oppose any automated decision, including profile definition, which may affect the judicial sphere or similar, unless the decision:

  • Is necessary to perform or conclude a contract between the subject and Sentidos Beach Retreat;
  • Has been authorized due to legislation affecting Sentidos Beach Retreat; or
  • Is based on the data subject’s explicit consent.

PROCEDURES ON HOW TO EXERCISE ONE’S RIGHTS

The right to access, correct, delete, limit, transfer and oppose data processing may be exercised by the subject by filling out a form addressed to Sentidos Beach Retreat.

Sentidos Beach Retreat will reply in writing (including via computer) within 1 month (max) after the receiving the request, except in very complex cases, where this deadline may be extended for an additional month (2 months in total).

If requests are clearly unfounded or excessive, namely if they are repetitive, Sentidos Beach Retreat reserves the right to charge administrative costs or refuse to pursue the matter.

PERSONAL DATA VIOLATION

In case of personal data violation and if this violation may involve a high risk for the fundamental rights and freedoms of the subject, Sentidos Beach Retreat will notify the authority within the 72 hours following the detection of the incident.

According to law, this notification is not necessary for the following situations:

  • If Sentidos Beach Retreat has put in place all the adequate protection procedures, both technical and organisational, and these procedures have been applied to the personal data that has been violated, especially procedures which render personal data incomprehensible to anyone without authorization to access this data, such as encryption;
  • In case Sentidos Beach Retreat has taken subsequent measures in order to ensure that the subject’s fundamental rights and freedoms are no longer affected; or
  • In case informing the subject involves an unreasonable effort. In this case, Sentidos Beach Retreat will issue a public statement or apply a similar measure through which the data subject will be informed.

 

C. FINAL CONSIDERATIONS

CHANGES TO PRIVACY POLICY

Sentidos Beach Retreat is entitled to change this Privacy Policy if and when necessary. In this case, the date of the latest change, indicated in the footnote, will also be updated.

book now