Privacy, Security and Data Protection Policy
I – PRIVACY COMMITMENT
Maria dos Anjos Gonçalves Dias & Filho, Lda thanks you for the trust placed in it and is committed to protecting the privacy of all users of the various websites and digital platforms it provides and owns. In this context, it has prepared this Privacy, Security and Data Protection Policy, with the purpose of ensuring its commitment and respect for the rules of privacy and protection of personal data.
II – RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
In accordance with and for the purposes of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter “GDPR”) and Law No. 58/2019, of 8th of August (Law implementing the GDPR in the Portuguese legal system, hereinafter “LPDP”) the jointly responsible for the processing of personal data is:
- Maria dos Anjos Gonçalves Dias & Filho, Lda, tax taxpayer no. 507 268 016, with headquarters at Quinta da Caldeira – 4950 – 421 Monção, as entity that owns and operates the Hotel Dom Afonsolocated in Quinta da Caldeira – 4950 – 421 Monção.
III – DEFINITION OF PERSONAL DATA
Personal Data is any information, regardless of nature and support, relating to an identified or identifiable natural person. A person who can be identified, directly or indirectly, by any element that allows identification is considered identifiable.
IV – DEFINITION OF PERSONAL DATA HOLDER
The holder of personal data is the customer/user/supplier/subcontractor, a natural person, to whom the data relates. In this case, a customer/user is the person who hires/accesses the website/uses the services or products of the Data Controllers.
V – RIGHTS OF DATA SUBJECTS
Under the terms of the GDPR and the LPDP, the data subject is guaranteed the exercise of all legally permitted rights, as long as personal data is processed by those responsible for the processing, namely:
– Right of access – consists of the right to obtain confirmation of which personal data is being processed and information about them.
– Right to rectification – consists of the right to request the rectification of your personal data that is incorrect/out of date or to request that those that are incomplete be completed.
– Right to erasure of data or “right to be forgotten” – consists of the right to obtain the deletion of your personal data, as long as there are no valid and/or legitimate grounds on the part of those responsible for processing for its conservation.
– Right to portability – consists of the right to receive the data you provided in a commonly used and machine-readable digital format, or to request the direct transmission of your data to another entity that becomes the new responsible for your personal data.
– Right to withdraw consent or right to object – consists of the right to oppose or withdraw your consent, at any time, to data processing, as long as there are no valid and/or legitimate grounds on the part of those responsible for processing for not accepting the exercise of this right.
– Right of limitation – consists of the right to request the limitation of the processing of your personal data, in the form of suspension of processing or limitation of the scope of processing to certain categories of data or processing purposes.
– Right to complain – consists of the right to lodge a complaint with the relevant supervisory authority if you consider that there has been any infringement of your rights. In Portugal, this authority is the National Data Protection Commission (hereinafter “CNPD”). More information about the CNPD is available at www.cnpd.pt.
VI – INFORMATION AND CONSENT
By accepting this Privacy Notice, the Holder of personal data is informed and gives their express, unequivocal, free and informed consent to the processing of personal data provided through the domain and subdomains of hoteldomafonso.pt (the “Website”) whether treated by Data Controllers in the future.
VII – EXERCISE OF PERSONAL DATA HOLDER’S RIGHTS
Those responsible for processing undertake to respond to the exercise of rights by holders of personal data, within a maximum period of 30 (thirty) days, unless it is a particularly extensive or complex request.
The exercise of rights tends to be free of charge, except in the case of a manifestly unfounded or excessive request, in which case a reasonable fee may be charged taking into account the costs.
Please note that the exercise of any of the rights must always be provided in writing, in person or electronically.
To exercise your personal data protection rights or ask any questions about the use of your personal data, the respective holders may do so by email to the following address: info@hoteldomafonso.pt
VIII – PURPOSE OF DATA OBTAINING
The data obtained within the scope of the digital and physical presence of those responsible for processing are intended to ensure the correct provision of our services, and to ensure navigation and availability of content on our websites. Among others, these serve to:
- Fulfill obligations to our customers;
- Manage accommodation reservation: Creation, storage and processing of legal documents as well as personal data, in accordance with the GDPR and LPDP.
- Manage your stay: Monitoring the use of services for exclusive debit purposes (telephone, bar, pay TV, etc.); manage access to rooms;
- Improving the service provided: Adapting our products and services to better serve customer needs;
- Customer relationship management: Management of loyalty programs; Segmentation of operations based on the customer's booking history; Development of statistics and internal reports; Sending and managing newsletters, promotions, service offers and satisfaction questionnaires;
- Use of third party services in the analysis and mapping of personal data, at the time of booking and/or during the stay, to determine the customer profile;
- Compliance with local legislation (e.g. when storing official customer documents).
IX – TYPES OF PERSONAL DATA COLLECTED
Those responsible for processing, through their websites and/or hotel units, do not process personal data belonging to special categories within the meaning of art. 9 of EU Regulation 2016/679. Through their website, messages or in person, data controllers may obtain and process the following personal data:
- a) Specific data:
– Contact details (first name, last name, telephone number and email);
– Personal Information (Date of birth, nationality, city, country);
– Children’s information (first name, last name, age and date of birth);
– Credit card number (for billing/banking transaction purposes);
– Arrival and departure date;
– Your preferences (preferred floor, type of bed, interests, limitations, etc.).
– Your limitations (allergies, food intolerances, etc.).
- b) Any information provided by you through the website or in messages, whether by filling out forms or sent in free text. This information includes, in particular, that provided when registering to receive the newsletter, contact request, accommodation reservations and other complementary services. The information you provide when you participate in any area that involves your registration or provision of your content or when you interact with those responsible for processing, such as when you send an email requesting information to any of the addresses belonging to the domains of which Those responsible for the treatment are holders, can also be treated.
- c) Information relating to your visits to the website, including, in particular, IP addresses, page visit time, and type of browser, for system administration and to facilitate navigation and return to the website at a later date. In principle, this data will only be processed for statistical purposes on the browsing actions and patterns of website users and will not allow the identification of any individual. However, when the user provides other information, this data may allow their identification and will be treated in accordance with the GDPR and LPDP-
- d) Information relating to access to the Internet via WIFI and Ethernet by your electronic devices, namely the Internet Protocol address (namely “IP”), Media Access Control address (namely “MAC”), time of use of the service and activity associated with the device. For more information, please see the Terms and Conditions for WIFI and Ethernet.
Please note that the personal data collected by those responsible for processing are limited to what is strictly necessary to pursue the purposes for which they were requested.
When personal data is provided, the Data Controllers provide all the information legally required for the processing of such data and require the consent of the data subjects when this is required by law and when there is no legitimate interest on the part of the Data Controllers or third parties, such as data processing to improve service quality, detect fraud and protect revenue, and when our reasons for using it must prevail over your data protection rights.
X – PERSONAL DATA COLLECTION LOCATIONS
The places designated below are those that can usually request access to the customer's personal data:
- a) Website:
- Contact request;
- Information request;
– Request to reserve accommodation and/or complementary services;
- b) Hotel Activities:
- Room reservation;
– Payment and check-in;
– Places that provide food (Food and Beverage);
– Requests, complaints and compliments;
- c) Participation in marketing campaigns:
– Registration in loyalty programs;
– Participation in surveys (namely the satisfaction survey);
– Subscription to services complementary to the hotel’s activity;
– Subscription to services complementary to the hotel’s activity;
XI – DATA RETENTION PERIODS
The period of time during which the data will be stored and preserved corresponds only to the period necessary to achieve the defined purpose or, depending on what is applicable, until you exercise your right to object, right to be forgotten or withdraw consent, varying according to the purpose for which the information is used.
As a rule, personal data relating to contracted accommodation and those made available in the accommodation bulletin will be stored for 2 (two) years after the contract ends (i.e., two years after the customer checks out).
Billing and payment data are kept for 10 (ten) years, in accordance with the Value Added Tax Code (CIVA).
Data relating to complaints will be kept for a period of 3 (three) years, in accordance with Article 3.º no. 1 paragraph d) of Decree-Law no. 156/2005 of 15 September.
In newsletters, the period of conservation and processing of the personal data you provide begins from the moment the applicant submits the subscription form and ends from the moment the subscriber cancels the subscription. You can unsubscribe at any time using a dedicated link available in all of our newsletters. When unsubscribing, the data subject concerned will receive a notification email and, subject to the terms of applicable legislation, their data will be removed from our newsletter sending list.
All other services that are not detailed above will store your information only for the maximum legal period in force and, if this is indefinite, until you exercise your right to object, right to be forgotten or withdraw consent.
XII – PLACE OF PROCESSING OF PERSONAL DATA
Data processing takes place in our facilities and is only processed by technical employees of the entity responsible for its processing, however there may be transfers of personal data to the USA and EU:
XIII – INFORMATION TRACKING
Data controllers use tracking technologies to improve navigation on their websites and newsletters. Obtaining this data is essential to ensure functionality, improve navigation on our websites and for sending the newsletter, service subscription forms and accommodation reservations, as well as improving our communications with subscribers and customers and enabling statistical analysis. Consult our Cookies Policy for more information.
XIV – PRIVACY OF MINORS
Personal data relating to minors can only be made available, in person or on the website of those responsible for processing, by those with parental responsibilities and within current legal parameters.
In these cases, Data Controllers will make all appropriate efforts to verify that consent was given or authorized by the holder of parental responsibilities for the minor, taking into account available technology.
Those responsible for processing cannot be held responsible for the lawfulness of the processing of personal data provided by people who commit fraud regarding their identity and other identification elements.
XV – RESPONSIBILITY OF THE PERSONAL DATA HOLDER
The Holder of personal data who uses the IT platforms made available by those responsible for processing guarantees that he or she is over 18 (eighteen) years old and that the data provided is true, accurate, complete and updated, assuming responsibility for the veracity of all data disclosed and and must keep the information provided duly updated.
When the holder of personal data provides their data to third parties, with the aim of contracting the services provided by the Data Controllers, these third parties must ensure that they have obtained the data subject's authorization for the data to be provided to the Data Controllers for the purposes indicated.
The Holder of personal data or any third party acting on its behalf and representation will be responsible for false or inaccurate information provided on the website and for direct or indirect damages caused to Data Controllers or third parties.
XVI – VIDEO SURVEILLANCE
The establishments of those responsible for processing are equipped with video surveillance and image recording systems, with the purpose of protecting people and property, aiming to pursue the legitimate interest of security within their facilities. The data collected through video surveillance systems is intended to be exclusively used and communicated in accordance with criminal procedural law, although the private security entity subcontracted for this purpose may be responsible for processing it. The Data Holder may exercise the right of access to data concerning him or her, which may not involve access to images of third parties, which will be hidden or anonymized. Data controllers may, at any time, limit or remove the video surveillance system from their establishments, and there may be periods when they are not in operation, particularly due to maintenance needs, technical reasons or power cuts.
Data collected within the scope of video surveillance systems will be stored for 30 days.
XVII – PROTECTION OF HOLDERS’ PERSONAL DATA
In accordance with current legislation and taking into account available technology, those responsible for processing provide an adequate level of protection for your personal data, namely through the implementation of the technical and organizational measures necessary to protect your personal data against destruction. , accidental loss or modification, as well as against unauthorized access and other processes, namely:
– Logical security requirements and measures, such as the use of firewall, Virtual LAN and intrusion detection systems on your systems.
– Physical security measures, including strict access control to the physical facilities of data controllers. .
– Means of data protection using technical means such as encryption, pseudonymization and anonymization of personal data.
– Scrutiny, audit and control mechanisms to ensure compliance with security and privacy policies.
– An information and training program for employees and partners of Data Controllers
– Access rules for customers/users to certain products or services, such as a second opt-in level for subscribing to services on the platform and the introduction of a password whenever an employee accesses, directly or indirectly, any database of Data Controllers, in order to reinforce control and security mechanisms.
However, those responsible for processing inform that no security system can guarantee absolute protection.
We remain at your disposal for any questions or observations regarding the confidentiality and security of your personal data.
Monção May 3, 2024.