fbpx

DATENSCHUTZRICHTLINIE

1. Privacy policy and personal data protection

This Personal Data Protection Policy is an integral part of the Website’s disclaimer.

In compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on their free movement (“GDPR”), which repealed Directive 95/46/EC, in addition to all other regulations in force, the Entity hereby informs the Users that their personal data shall be added to the Entity’s databases, for which the following are responsible:

 

2. Details of the data controller and contact details of the Chief Information Security Officer

  • Entity: EXCA, S.L. (hereinafter, the “Entity”)

TIN: B58771809

Adress: Avenida St. Elm s/n, 17220 – Sant Feliu de Guíxols

E-mail: rgpd@bravahoteles.com

Chief Information Security Officer: Roser Rovira Segarra

 

3. Purposes of data processing

The data about you that the Entity shall keep on record are your name, address, telephone number, e-mail address, identity number, age, gender, nationality, invoicing information, as well as your username, password and payment details if you are a registered customer.

The Entity shall process the information it has about the persons affected for the following purposes:

  • Handling any type of request, suggestion or inquiry about our professional services submitted by interested parties.
  • Internal research and development on the products and services we offer.
  • Marketing messages, which entails the processing of your data for the purposes of informing you about activities, useful articles and general information about our services via email.

Interested parties may unsubscribe from receiving these messages by writing to the following address: rgpd@bravahoteles.com.

  • Handling the data submitted by job candidates on their curriculum vitae (CV) for a selection and recruitment process.
  • Likewise, we may be obliged to use and hold personal information for legal and compliance reasons.
  • It is also possible that we may use personal information to comply with internal and external audit requirements, and in any other way we consider necessary or suitable: (a) by virtue of the laws in force; (b) in response to requests from courts, security organizations, regulatory bodies, and other public and government authorities; (c) pursuant to our terms and conditions; and (d) to protect our rights, privacy, security and property, or those of other individuals.

The Entity shall process your data and information submitted for selection processes in the strictest confidence, whereby it shall adopt all of the technical and organizational measures required to prevent their loss, misuse, alteration and/or unauthorized access.

Data retention

  • Handling CVs: The Entity may retain your CV for a maximum term of one year. Once this term has elapsed, it shall be automatically destroyed in compliance with the principle of data quality.
  • To manage registration as a user of the Website during the time in which the status of registered user is maintained.
  • For marketing services, the processing will be carried out until the client communicates their intention to cancel the subscription to the newsletter or receipt of commercial communications.
  • In order to set the retention periods for all other data, the Entity takes into account local laws, contractual obligations, and our customers’ expectations and requirements. Whenever personal information is not necessary for the purpose for which it was collected, we eliminate or destroy it securely.

 

4. Legitimation

We process all personal data transparently and fairly in compliance with the law. Data processing is carried out:

  • For managing the register as a user on the Website and the identification.
  • For executing agreements entered into with the Entity, as they must be processed for us to fulfil our commitments with you.
  • Costumer service.
  • Marketing and commercial communications.
  • For satisfying a legitimate interest sought by the Entity’s affiliates.
  • In compliance with the law.

 

5. Data flow

Data controllers: The Entity may facilitate access to certain personal data when it considers it necessary, in order to provide its services, as well as to improve them. When we share personal information, we do so in accordance with data privacy and security requirements, namely:

.- Financial entities.

.- Providers of technological and analytical services.

.- Providers and collaborators of services linked to the provision of hospitality services.

.- Service providers related to customer service.

.- Providers and collaborators of services related to marketing and advertising, such as advertising agencies, advertising partners or social networks that, in certain cases, may act as joint controllers.

.- Providers of legal, economic and financial services.

Group Companies: We share personal data between companies belonging to the Group Companies to carry out and improve the services that you have contracted with us.

Data disclosures: Personal data is not disclosed to third parties, unless the Entity is legally required to do so. Personal data disclosure, access and/or processing is not considered to have taken place whenever the data is required to properly render any of the services that the Users have engaged.

 

6. Sources

Sources: The Entity collects personal information from the following sources:

  • Information that is directly provided by the persons concerned during the check-in process, when they ask us for information, take out or use our services, or when they request customer services.
  • In addition, we may also obtain information from third parties that we consider is in the public domain or in a trade database in order to be able to offer you services that we believe may be useful to you and to keep accurate data on record, as well as to improve our products and services.

 

7. Rights

The right to Access, Rectification and Erasure: Interested parties have the right to obtain confirmation about whether the Entity is processing personal data that concerns them or not. Interested parties also have the right to access their personal data and to seek the rectification of imprecise data or, where applicable, request their elimination when, among other reasons, the data are no longer needed for the purposes for which they were collected.

Right of Restriction and to Object: In certain circumstances, interested parties may seek the limitation of the processing of their data, in which case we can only keep them to lodge or defend ourselves against complaints. Under certain circumstances and for reasons related to your particular situation, interested parties may object to the processing of their data. The Entity shall stop processing the data, except when there are compelling legitimate grounds not to do so, or to make or defend itself against potential complaints.

Right to data Portability: The interested parties are entitled to request the right to data portability, whereby their data shall be directly transferred to another entity or company, whenever this is technically feasible.

These rights may be exercised by email addressed to the Entity, attaching a photocopy of the ID of the data owner (rgpd@bravahoteles.com).

 

8. Updates and modifications

The Entity reserves the right to modify and/or amend the information about personal data protection whenever necessary for full compliance with the Data Protection Regulation. If any modifications are made, the new text shall be posted on this page, where you shall have access to the updated policy. In any event, the relationship with Users shall be governed by the regulations in place at the exact time you access the Website.

 

9. Communications channel and assistance

The Interested parties may make any inquiries about the processing of their personal data or the interpretation of our policy by writing to the following address: rgpd@bravahoteles.com.

Pursuant to the provisions of the Spanish law, “ley 34/2002 de 11 de julio, de Servicios de la Sociedad de la Información y del Comercio Electrónico,” (Act 34/2002, of 11 July, on Information Society Services and E-Commerce) you may withdraw your consent to receive marketing and promotional messages at any time by writing an email or other equivalent means of electronic messaging to EXCA, S.L., with the subject line “BAJA E-MAIL” to the following address: rgpd@bravahoteles.com.

The Entity has an active profile on the main online social media (Facebook, Twitter, LinkedIn, YouTube and Google+). The Entity shall in all cases process its followers’ data as permitted by these social media for corporate profiles. The Entity shall therefore inform its followers using any means permitted by these social media about its business, talks, offers, as well as giving its customers tailor-made services. Under no circumstances shall the Entity extract data from social media, unless it had obtained the User’s one-off, express consent to do so.