- Privacy and personal data protection policy
This Data Protection Policy is an integral part of the Website Legal Notice.
In compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), as well as Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, the Entity informs Users that their data will be incorporated into the Entity’s databases, in accordance with the details below:
- Details of the person responsible for the file and contact the Security Manager
- Owner: BRAVA HOTELES, S.L. with registered office at C. Serrano, 21, 2º. 28002 Madrid, NIF B72923535 (hereinafter, the “Entity”).
BRAVA HOTELES, S.L. together with the rest of the entities of the group of companies shall be referred to as “BRAVA HOTELES GROUP”.
Security Manager: Roser Rovira Segarra
- Purposes of processing
The data that the Entity will keep about you are your name, address, telephone number, e-mail address, tax identification document number, age, gender, nationality, invoicing data, as well as, if you are a customer, the User name and password and payment data. The Entity may also keep the data relating to the products and services contracted.
The Entity shall process the information it holds in relation to the persons concerned for the following purposes:
- To manage any type of application, suggestion or request regarding our services made by the interested parties.
- Internal research and development of the products and services we offer.
- Commercial communications, which involves the processing of your data in order to inform you about activities, articles of interest and general information about our services via e-mail.
Interested parties may unsubscribe from these communications at the following address firstname.lastname@example.org.
- Manage data provided by job applicants through the Curriculum Vitae (CV) that you provide to us for the purpose of recruitment and selection processes.
- We may also be required to use and retain personal information for legal and compliance reasons.
- We may also use personal information to comply with internal and external audit requirements and in any other way we deem necessary or appropriate: under applicable law (b) to respond to requests from courts, law enforcement agencies, regulatory agencies and other public and governmental authorities (c) for compliance with our terms and conditions, and (d) to protect our rights, privacy, safety or property, or those of others.
We will treat your data and information provided for selection processes with the strictest confidentiality, taking the necessary technical and organisational measures to prevent loss, misuse, alteration and/or unauthorised access.
Retention of data
- Curriculum Vitae management: the Entity may keep your Curriculum Vitae for a maximum period of one year, at the end of which it will be automatically destroyed, in compliance with the principle of data quality.
- To manage your registration as a user of the Website for as long as you remain a registered user.
- For marketing services, the processing will be carried out until the customer communicates his intention to unsubscribe from the newsletter or to receive commercial communications.
- In determining the retention periods for other data, the Entity considers local laws, contractual obligations and the expectations and requirements of our customers. When personal information is no longer required for the purpose for which it was collected, we delete or securely destroy it.
We process personal data in compliance with the law and in a transparent and fair manner. The data is processed:
- To manage registration as a user of the Website and identification.
- For the performance of contracts entered into with the Entity’s companies, the processing being necessary for the fulfilment of our obligations towards you.
- Customer service.
- Marketing and commercial communications.
- For the satisfaction of a legitimate interest pursued by the Entity’s entities.
- In compliance with the law.
- Data flow
Processors: We may provide access to certain personal information when we deem it necessary to do so in order to provide our services and to improve our services. When we share personal information, we do so in accordance with privacy and data security requirements, as follows:
- Financial institutions.
- Technology and analytics service providers.
- Service providers and service partners involved in the provision of hospitality services.
- Service providers related to customer services.
- Marketing and advertising related service providers and partners, such as advertising agencies, advertising partners or social networks which, in certain cases, may act as joint controllers.
- Legal, economic and financial service providers.
Group companies: We share personal data between the companies belonging to the Group in order to carry out and improve the services you have contracted with us.
Transfer of data: We do not transfer personal data to third parties, except as provided by law. Access to and/or processing of personal data that is the responsibility of the Users is not considered to be a transfer of data when this is necessary for the proper provision of the services that they have contracted.
Origin: the Entity collects your personal information from the following sources:
- Information provided directly to us by you in the registration process, when you proceed to request information, purchase services or products or when you use our services or when you request customer services.
- In addition, we may also obtain information from third parties that we believe is publicly available or on a commercial basis in order to provide you with services that we believe may be of interest to you and to maintain data accuracy and to improve our products and services.
Right of Access, Rectification and Deletion: Interested parties have the right to obtain confirmation as to whether or not the Entity is processing personal data concerning them. Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
Right to Limitation and Opposition: In certain circumstances, data subjects may request that we restrict the processing of their data, in which case we will only retain the data for the purpose of exercising or defending claims. In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. The Entity will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.
Right of portability: Data subjects have the right to request the portability of their data, allowing their data to be transmitted directly to an entity or company, provided that this is technically possible.
These rights may be exercised by sending an e-mail to the Entity, attaching a photocopy of the data subject’s National Identity Document (email@example.com).
- Updates and modifications
The Entity reserves the right to modify and/or update the information on data protection when necessary for the correct compliance with the Data Protection Regulation. In the event of any modification, the new text will be published on this page, where you will be able to access the current policy. In each case, the relationship with the Users will be governed by the regulations in force at the precise moment at which the website is accessed.
- 9. Channel of communication and support
Interested parties may communicate any questions about the processing of their personal data or interpretation of our policy at the following address: firstname.lastname@example.org.
In accordance with the provisions of Law 34/2002 of 11 July, Services Information Society and Electronic Commerce, you may revoke at any time the consent given to receive advertising or promotional communications by email or other means of electronic communication equivalent by BRAVA HOTELES GROUP, by sending an email with the subject “UNSUBSCRIBE E-MAIL” to the following address: email@example.com.
The Entity maintains an active profile on the main social networks on the Internet (Facebook, Twitter, LinkedIn, Youtube and Google+). The processing that the Entity will carry out with the data of its followers will in any case be that which the social network allows for corporate profiles. The Entity may therefore inform its followers by any means that the social network allows about its activities, presentations, offers, as well as provide personalised customer service. Under no circumstances shall the Entity extract data from the social networks, unless the user’s consent to do so is specifically and expressly obtained.