Privacy, Security and Data Protection Policy

I – PRIVACY COMMITMENT Maria dos Anjos Gonçalves Dias & Filho, Lda thanks you for the trust placed in it and is committed to protecting the privacy of all users of the various websites and digital platforms it provides and owns. In this context, it has prepared this Privacy, Security and Data Protection Policy, with the purpose of ensuring its commitment and respect for the rules of privacy and protection of personal data.   II – RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA In accordance with and for the purposes of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter “GDPR”) and Law No. 58/2019, of 8th of August (Law implementing the GDPR in the Portuguese legal system, hereinafter “LPDP”) the jointly responsible for the processing of personal data is:
  • Maria dos Anjos Gonçalves Dias & Filho, Lda, tax taxpayer no. 507 268 016, with headquarters at Quinta da Caldeira – 4950 – 421 Monção, as entity that owns and operates the Hotel Dom Afonsolocated in Quinta da Caldeira – 4950 – 421 Monção.
  III – DEFINITION OF PERSONAL DATA Personal Data is any information, regardless of nature and support, relating to an identified or identifiable natural person. A person who can be identified, directly or indirectly, by any element that allows identification is considered identifiable.   IV – DEFINITION OF PERSONAL DATA HOLDER The holder of personal data is the customer/user/supplier/subcontractor, a natural person, to whom the data relates. In this case, a customer/user is the person who hires/accesses the website/uses the services or products of the Data Controllers.   V – RIGHTS OF DATA SUBJECTS Under the terms of the GDPR and the LPDP, the data subject is guaranteed the exercise of all legally permitted rights, provided that there is processing of personal data by the Data Controllers, namely: – Right of access – consists of the right to obtain confirmation of which of your personal data are processed and information about them. – Right to rectification – consists of the right to request the rectification of your personal data that is incorrect/outdated or request that incomplete data be completed. – Right to erasure of data or “right to be forgotten” – consists of the right to obtain the deletion of your personal data, provided that there are no valid and/or legitimate grounds on the part of those responsible for processing for their conservation. – Right to portability – consists of the right to receive the data you provided in a commonly used and machine-readable digital format, or to request the direct transmission of your data to another entity that becomes the new responsible for your personal data. – Right to withdraw consent or right to object – consists of the right to oppose or withdraw your consent, at any time, to data processing, as long as there are no valid and/or legitimate grounds on the part of those responsible for processing for not accepting the exercise of this right. – Right of limitation – consists of the right to request the limitation of the processing of your personal data, in the form of suspension of processing or limitation of the scope of processing to certain categories of data or processing purposes. – Right to complain – consists of the right to lodge a complaint with the relevant supervisory authority if you consider that there has been any infringement of your rights. In Portugal, this authority is the National Data Protection Commission (hereinafter “CNPD”). More information about the CNPD is available at www.cnpd.pt.   VI – INFORMATION AND CONSENT By accepting this Privacy Notice, the Holder of personal data is informed and gives their express, unequivocal, free and informed consent to the processing of personal data provided through the domain and subdomains of hoteldomafonso.pt (the “Website”) whether treated by Data Controllers in the future.    VII – EXERCISE OF PERSONAL DATA HOLDER’S RIGHTS Data Controllers undertake to respond to the exercise of rights by data subjects within a maximum period of 30 (thirty) days, unless the request is particularly extensive or complex. The exercise of rights is generally free of charge, except if the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged taking into account the costs. Please note that the exercise of any of the rights must always be made in writing, in person or electronically. To exercise their personal data protection rights or ask any questions about the use of their personal data, data subjects may do so by email to the following address: info@hoteldomafonso.pt VIII – PURPOSE OF DATA OBTAINING The data obtained within the scope of the digital and physical presence of those responsible for processing are intended to ensure the correct provision of our services, and to ensure navigation and availability of content on our websites. Among others, these serve to:  
  1. Fulfill obligations to our customers;
 
  1. Manage accommodation reservation: Creation, storage and processing of legal documents as well as personal data, in accordance with the GDPR and LPDP.
 
  1. Manage your stay: Monitoring the use of services for exclusive debit purposes (telephone, bar, pay TV, etc.); manage access to rooms;
 
  1. Improving the service provided: Adapting our products and services to better serve customer needs;
 
  1. Customer relationship management: Management of loyalty programs; Segmentation of operations based on the customer's booking history; Development of statistics and internal reports; Sending and managing newsletters, promotions, service offers and satisfaction questionnaires;
 
  1. Use of third party services in the analysis and mapping of personal data, at the time of booking and/or during the stay, to determine the customer profile;
 
  1. Compliance with local legislation (e.g. when storing official customer documents).
IX – TYPES OF PERSONAL DATA COLLECTED   Those responsible for processing, through their websites and/or hotel units, do not process personal data belonging to special categories within the meaning of art. 9 of EU Regulation 2016/679. Through their website, messages or in person, data controllers may obtain and process the following personal data:  
  1. a) Specific data:
  – Contact details (first name, last name, telephone number and email); – Personal information (date of birth, nationality, city, country); – Children’s information (first name, last name, age and date of birth); – Credit card number (for billing/banking purposes); – Arrival and departure dates; – Your preferences (preferred floor, bed type, interests, limitations, etc.). – Your limitations (allergies, food intolerances, etc.).  
  1. b) Any information provided by you through the website or in messages, whether by filling out forms or sent in free text. This information includes, in particular, that provided when registering to receive the newsletter, contact request, accommodation reservations and other complementary services. The information you provide when you participate in any area that involves your registration or provision of your content or when you interact with those responsible for processing, such as when you send an email requesting information to any of the addresses belonging to the domains of which Those responsible for the treatment are holders, can also be treated.
 
  1. c) Information relating to your visits to the website, including, in particular, IP addresses, page visit time, and type of browser, for system administration and to facilitate navigation and return to the website at a later date. In principle, this data will only be processed for statistical purposes on the browsing actions and patterns of website users and will not allow the identification of any individual. However, when the user provides other information, this data may allow their identification and will be treated in accordance with the GDPR and LPDP-
  2. d) Information relating to access to the Internet via WIFI and Ethernet by your electronic devices, namely the Internet Protocol address (namely “IP”), Media Access Control address (namely “MAC”), time of use of the service and activity associated with the device. For more information, please see the Terms and Conditions for WIFI and Ethernet.
You are also informed that the personal data collected by the Data Controllers are limited to what is strictly necessary for the purposes for which they were requested. When personal data is provided, the Data Controllers provide all the information legally required for the processing of such data and require the consent of their holders when this is required by law and when there is no legitimate interest on the part of the Data Controllers or third parties, such as the processing of data for improving the quality of service, detecting fraud and protecting revenue, and when our reasons for using them should prevail over your data protection rights. X – PERSONAL DATA COLLECTION LOCATIONS The places designated below are those that can usually request access to the customer's personal data:  
  1. a) Website:
  – Contact request; – Request for information; – Request to book accommodation and/or additional services;  
  1. b) Hotel Activities:
  – Room reservation; – Payment and check-in; – Places that provide food (Food and Beverage); – Requests, complaints and compliments;    
  1. c) Participation in marketing campaigns:
  – Registration in loyalty programs; – Participation in surveys (namely the satisfaction survey); – Subscription to services complementary to the hotel’s activity; – Subscription to services complementary to the hotel’s activity; XI – DATA RETENTION PERIODS   The period of time during which the data will be stored and retained corresponds only to the period necessary to achieve the defined purpose or, as applicable, until you exercise your right to object, right to be forgotten or withdraw consent, varying according to the purpose for which the information is used. As a rule, personal data relating to contracted accommodation and those made available in the accommodation bulletin will be stored for 2 (two) years after the end of the contract (i.e. two years after the customer checks out). Billing and payment data will be retained for 10 (ten) years, in accordance with the Value Added Tax Code (CIVA). Data relating to complaints will be retained for a period of 3 (three) years, in accordance with Article 3, paragraph 1, letter d) of Decree-Law no. 156/2005 of 15 September. In the case of newsletters, the period for which the personal data you provide us with will be stored and processed begins when the applicant submits the subscription form and ends when the subscription is cancelled. You can cancel your subscription at any time using a specific link available for this purpose in all of our newsletters. Upon unsubscribing, the data subject in question will receive a notification email and, subject to the terms of the applicable legislation, their data will be removed from our newsletter mailing list. All other services not detailed above will store your information only for the maximum legal period in force and, if this is indefinite, until you exercise your right to object, right to be forgotten or withdraw your consent.   XII – PLACE OF PROCESSING OF PERSONAL DATA Data processing takes place in our facilities and is only processed by technical employees of the entity responsible for its processing, however there may be transfers of personal data to the USA and EU:   XIII – INFORMATION TRACKING  Data controllers use tracking technologies to improve navigation on their websites and newsletters. Obtaining this data is essential to ensure functionality, improve navigation on our websites and for sending the newsletter, service subscription forms and accommodation reservations, as well as improving our communications with subscribers and customers and enabling statistical analysis. Consult our Cookies Policy for more information. XIV – PRIVACY OF MINORS Personal data relating to minors may only be made available, in person or on the website of the Data Controllers, by the holders of parental responsibilities and within the legal parameters in force. In such cases, the Data Controllers shall make all appropriate efforts to verify that consent has been given or authorized by the holder of parental responsibilities of the minor, taking into account the available technology. The Data Controllers cannot be held responsible for the lawfulness of the processing of personal data provided by persons who commit fraud regarding their identity and other identification elements. XV – RESPONSIBILITY OF THE PERSONAL DATA HOLDER The Holder of personal data who uses the IT platforms made available by the Data Controllers guarantees that he/she is over 18 (eighteen) years old and that the data provided is true, accurate, complete and up-to-date, assuming responsibility for the veracity of all data disclosed and must keep the information provided duly updated. When the Holder of personal data provides his/her data to third parties, with the aim of contracting the services made available by the Data Controllers, these third parties must guarantee that they have obtained the authorization of the Data Holder for the data to be provided to the Data Controllers for the purposes indicated. The Holder of personal data or any third party acting on his/her behalf and representation shall be liable for false or inaccurate information provided on the website and for direct or indirect damages caused to the Data Controllers or third parties. XVI – VIDEO SURVEILLANCE The establishments of the Data Controllers are equipped with video surveillance and image recording systems, for the purpose of protecting people and property, in order to pursue the legitimate interest of security within their facilities. The data collected through the video surveillance systems are intended exclusively to be used and communicated in accordance with the criminal procedural law, although their processing may be entrusted to a private security entity subcontracted for this purpose. The Data Subject may exercise the right of access to data concerning him/her, which may not involve access to images of third parties, which will be hidden or anonymized. The Data Controllers may, at any time, limit or remove the video surveillance system from their establishments, and there may be periods in which they are not in operation, in particular for maintenance needs, technical reasons or power cuts. The data collected within the scope of the video surveillance systems will be stored for 30 days. XVII – PROTECTION OF HOLDERS’ PERSONAL DATA In accordance with current legislation and taking into account available technology, Data Controllers provide an adequate level of protection for your personal data, in particular by implementing the necessary technical and organisational measures to protect your personal data against accidental destruction, loss or modification, as well as against unauthorised access and other processes, namely: – Logical security requirements and measures, such as the use of firewalls, virtual LANs and intrusion detection systems on their systems. – Physical security measures, including strict control of access to the physical facilities of Data Controllers. – Data protection measures using technical means such as encryption, pseudonymisation and anonymisation of personal data. – Scrutiny, audit and control mechanisms to ensure compliance with security and privacy policies. – An information and training program for employees and partners of Data Controllers – Access rules for customers/users to certain products or services, such as a second opt-in level for subscribing to services on the platform and the introduction of a password whenever an employee accesses, directly or indirectly, any database of Data Controllers, in order to reinforce control and security mechanisms. However, Data Controllers inform you that no security system can guarantee absolute protection. We remain at your disposal for any questions or observations regarding the confidentiality and security of your personal data. Monção 03 May 2024.
en_GB
pt_PT es_ES en_GB