General Data Protection Regulation
A. GENERAL INFORMATION
INTRODUCTION
This document is part of a set of regulations concerning Sentidos Beach Retreat’s personal data protection in accordance with the General Data Protection Regulation, herein referred to as GDPR.
In the future, whenever this document is subject to updates, a new version will become immediately available after its approval.
The enforcement of this policy will be ensured by the evaluation of control indicators and/or audits (internal or external) at regular intervals, or in the event of significant changes.
Scope and purpose
This policy was implemented to demonstrate Sentidos Beach Retreat’s full commitment to and respect for privacy regulations and personal data protection.
Why this Privacy Policy?
This policy is established in order to disclose Sentidos Beach Retreat’s general rules concerning privacy and personal data processing. We collect and handle this information with great respect and always in line with national legislation on this subject.
Sentidos Beach Retreat is committed to the best practices in terms of security and personal data protection. Consequently, it has approved a strict programme to safeguard all data that is made available to Sentidos Beach Retreat by all those who, in some way, are associated with it.
What is the scope of this Privacy Policy?
This policy applies solely to personal data collected and processed by Sentidos Beach Retreat.
Addressees
This policy is addressed to the general public and to Sentidos Beach Retreat clients in particular and establishes obligations for all Sentidos Beach Retreat’s staff members.
Definitions
Personal data – All information about an identified or identifiable individual; individuals are identifiable when they may be directly or indirectly identified, through data such as name, ID number, place of residence, computerised data, but also by one or more specific elements regarding their identity in terms of physique, physiology, genetics, mind, economics, culture or social status.
Special categories – Personal data that reveals race or ethnicity, political opinions, religious or philosophical convictions, trade union affiliations, as well as processing data concerning genetic information, biometrics, health, sex life or sexual orientation.
Processing – The operation, or set of operations, by which personal data, or sets of personal data, are handled by automated or non-automated means, such as the collection, registration, organization, structuring, conservation, adaptation or alteration, recovery, consultation, usage, dissemination, comparison or interconnection, shortening, deletion or destruction of information.
Liable party – An individual or group of individuals, authority, agency or any other body which, individually or in association with others, establishes the purpose and means to process personal data.
Violation of Personal Data – An accidental or unlawful security breach that results in the unauthorized destruction, loss, change, disclosure or access to personal data was transferred, stored or subjected to any other type of processing.
Outsourcing – An individual or group of individuals, authority, agency or any other body that treats personal data according to instructions issued by the person responsible for the data in question.
Third-Party – An individual or group of individuals, authority, service or body that, although not the subjects or bodies responsible for processing the data are authorized to act under the direct authority of the body in charge of processing.
PERSONAL DATA COLLECTION AND PROCESSING
Sentidos Beach Retreat’s activity involves the collection, registration, organization, archive, use and consultation of personal data. This may also involve other operations that, according to the General Data Protection Regulation, are called “personal data processing”.
Personal data collection regards staff members but also suppliers, clients and others.
Sentidos Beach Retreat collects personal data, namely data that is necessary for reservations and invoicing, as well as personal data from staff members to comply with legal employment requirements.
Upon collecting personal data, Sentidos Beach Retreat will supply data subjects with detailed information regarding the nature of the data collected and the use and processing it will entail, as well as information mentioned above regarding the right to access one’s personal data.
OUTSOURCING
Regarding personal data processing, Sentidos Beach Retreat may outsource this activity to third parties that will process personal data on its behalf, and according to the instructions provided, in strict compliance with the law and this policy.
These outsourced entities cannot release or disclose data without Sentidos Beach Retreat’s prior and written authorization. They are also forbidden to outsource other entities without Sentidos Beach Retreat’s prior authorization.
Sentidos Beach Retreat shall only outsource data processing to entities that offer the best guarantees in the implementation of adequate technical and organizational procedures, in order to ensure the protection of data subjects’ rights. All outsourced entities will remain legally bound by a written contract that establishes the purpose, duration, nature of the processing, type of personal data and data categories, as well as the rights and obligations of both parties.
Upon collecting personal data, Sentidos Beach Retreat will provide data subjects with information regarding the outsourced entity that, in each specific case, is authorized to process the data on its behalf.
DATA COLLECTION CHANNELS
Sentidos Beach Retreat may collect data directly (i.e. directly from the subject) or indirectly (i.e. through partners or third parties). Data can be collected using the following channels:
Direct collection: in person, by telephone or email
Indirect collection: via partners or reservation companies, as well as official bodies.
GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING
Regarding the general principles of personal data processing, Sentidos Beach Retreat ensures that the data processed will be:
Data processing by Sentidos Beach Retreat is lawful when at least one of the following situations occurs:
The data subject has explicitly authorised the processing of his/her data for one, or more, specific purpose(s);
When data processing is based on the subject’s consent, he/she also has the right to withdraw consent at any time. However, the withdrawal of consent does not jeopardize the lawfulness of data processed by Sentidos Beach Retreat under the subject’s previous authorization.
The length of time during which the data is stored depends on the purpose for which it is processed.
There are legal requirements stating that data must be stored for a minimum period of time. Therefore, and provided there are no specific legal requirements, data will only be stored for the minimum period of time necessary to achieve the purposes for which it was collected and subsequently processed. At the end of this period, the data will be deleted.
USE AND PURPOSE OF PERSONAL DATA PROCESSING
Overall, Sentidos Beach Retreat uses personal data for purposes such as invoicing and billing of clients, marketing, human resources management and staff recruitment.
Personal data collected by Sentidos Beach Retreat will not be shared with third parties, unless it has received the subject’s prior consent, with the exception of the situations mentioned below. However, in case the subject hires services provided by other entities other than Sentidos Beach Retreat, the subject’s data may be consulted and accessed by these entities, inasmuch as this is necessary to provide the requested services.
Sentidos Beach Retreat is legally permitted to convey or divulge personal data to other entities, in case this is necessary to perform a contract, or for pre-contractual diligences at the subject’s request, if this is required to fulfil a legal obligation that binds Sentidos Beach Retreat, or if it is necessary to achieve Sentidos Beach Retreat’s (or a third party’s) legitimate interests. If personal data is shared with a third party, Sentidos Beach Retreat will ensure this entity shall use the data according to this policy.
TECHNICAL, ORGANISATIONAL AND SECURITY PROCEDURES
In order to guarantee personal data protection, Sentidos Beach Retreat agrees to use it according to security and confidentiality policies and internal procedures. This information shall be updated on a regular basis, according to needs and pursuant to the legally established terms and conditions.
Given the nature, scope, context and purposes of data processing, and considering the risks this operation may entail regarding the subjects’ legal rights and freedoms, Sentidos Beach Retreat agree to apply the adequate legal technical and organizational procedures for personal data protection, both at the time when processing procedures are set in place, as well as during the processing itself.
Sentidos Beach Retreat also agrees to ensure that, by default, only the necessary data for each specific purpose is processed and that this data cannot be made available, without human intervention, to an unlimited number of people.
As such, Sentidos Beach Retreat adopts the following general procedures:
B. RIGHTS OF DATA SUBJECTS
RIGHT TO INFORMATION
The information provided by Sentidos Beach Retreat is listed below:
Procedures and measures implemented to comply with the right to information:
The information mentioned above shall be supplied in writing (including electronically) by Sentidos Beach Retreat before processing personal data.
Information provided by Sentidos Beach Retreat is not subject to payment.
RIGHT TO ACCESS ONE’S PERSONAL DATA
Sentidos Beach Retreat will ensure the means by which data subjects can access their personal data.
Data subjects have the right to obtain information about the processing, or non-processing, of their personal data and, as such, the right to access their personal data and the following information:
If requested, Sentidos Beach Retreat will provide the subject with a copy of the data that is being processed. Other copies may incur administrative costs.
RIGHT TO CORRECT ONE’S PERSONAL DATA
Data subjects have the right to request the correction of their personal data, as well as the completion of any incomplete personal data, by supplying an additional statement.
In the case of data correction, Sentidos Beach Retreat will share this information with data recipient, unless this reporting is impossible or implies an unreasonable effort by the hotel.
RIGHT TO DELETE ONE’S PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
Data subjects have the right to request that Sentidos Beach Retreat deletes their data whenever one of the following situations takes place:
According to the applicable law, Sentidos Beach Retreat is not obliged to delete subjects’ data if the processing is necessary to fulfil a legal provision or for the purpose of a statement, exercise or defence of a right in court.
If data is deleted, Sentidos Beach Retreat will inform each recipient/entity to whom the data was transferred to delete such data as well, unless this reporting is impossible or implies an unreasonable effort by Sentidos Beach Retreat.
When Sentidos Beach Retreat has made the data available to the public and is subsequently forced to delete it, under the subject’s right to have it deleted, Sentidos Beach Retreat will ensure all the necessary procedures, including technical ones, considering the available technology and costs to apply it, to inform those in charge of data processing that the subject has requested his/her data be deleted, as well as any copies or reproductions.
RIGHT TO LIMIT THE USE OF ONE’S PERSONAL DATA
Data subjects have the right to limit Sentidos Beach Retreat’s data processing if one of the following situations takes place (this limitation consists in including a mark/sign in the personal data kept by Sentidos Beach Retreat to restrict the use of this data in the future):
When data processing has been limited, except for storage purposes, it can only be treated with the subject’s consent. It may also be used as a statement, exercise or defence of a right in court, to defend the rights of another person or entity, or for reasons of public interest.
Subjects who have limited data processing in the cases described above will be informed by Sentidos Beach Retreat before the request to limit processing is overruled.
In case of data processing is limited, Sentidos Beach Retreat will inform each recipient to whom the data was transferred to this limitation unless this reporting is impossible or implies an unreasonable effort by Sentidos Beach Retreat.
RIGHT OF PORTABILITY OF ONE’S PERSONAL DATA
The data subject has the right to obtain his/her personal data from Sentidos Beach Retreat. This data must be delivered in a manner that is organized, easy to use and uncomplicated to read, and the subject has the right to transfer this data to another agent responsible for data processing if:
and
The right to portability does not include inferred or derived data, i.e. personal data that may be issued by Sentidos Beach Retreat as a consequence or resulting from data processing analysis.
The data subject has the right to request that his/her personal data be directly communicated to the entities responsible for processing, whenever this is technically possible.
RIGHT TO OPPOSE PERSONAL DATA PROCESSING
Data subjects have the right to oppose their personal data processing whenever they wish, provided the reasons are associated with a specific situation, to the processing of data that is based on the exercise of Sentidos Beach Retreat’s legitimate interests, or when the processing is performed for purposes other than those for which the data was collected, including profile definition or use for statistics.
Sentidos Beach Retreat will cease personal data processing unless there are imperative and legitimate reasons for processing that prevail over the interests, rights and freedoms of the subjects, or for the statement, exercise or defence of Sentidos Beach Retreat’s rights in court.
When the subject’s data is treated for direct marketing, he/she has the right to oppose this use at any time, including for profile definition to the extent that this is associated with direct marketing. If this is the case, Sentidos Beach Retreat will immediately cease to use the data for that purpose.
The data subject is also entitled to oppose any automated decision, including profile definition, which may affect the judicial sphere or similar, unless the decision:
PROCEDURES ON HOW TO EXERCISE ONE’S RIGHTS
The right to access, correct, delete, limit, transfer and oppose data processing may be exercised by the subject by filling out a form addressed to Sentidos Beach Retreat.
Sentidos Beach Retreat will reply in writing (including via computer) within 1 month (max) after the receiving the request, except in very complex cases, where this deadline may be extended for an additional month (2 months in total).
If requests are clearly unfounded or excessive, namely if they are repetitive, Sentidos Beach Retreat reserves the right to charge administrative costs or refuse to pursue the matter.
PERSONAL DATA VIOLATION
In case of personal data violation and if this violation may involve a high risk for the fundamental rights and freedoms of the subject, Sentidos Beach Retreat will notify the authority within the 72 hours following the detection of the incident.
According to law, this notification is not necessary for the following situations:
C. FINAL CONSIDERATIONS
CHANGES TO PRIVACY POLICY
Sentidos Beach Retreat is entitled to change this Privacy Policy if and when necessary. In this case, the date of the latest change, indicated in the footnote, will also be updated.