Privacy Policy
Introduction
This privacy policy has been drafted taking the provisions of the Organic Law on the Protection of Personal Data in force into account, as well as Regulation 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the movement of such data, hereinafter the GDPR.
The purpose of this privacy policy is to inform the owners of the personal data about what information is being collected, of the specific aspects relating to the processing of their data, inter alia, the purposes of the processing, contact details for exercising their rights, time limits for storing information and security measures, among other things.
Data Controller
In terms of data protection HOZNAYO TURISTICO S.L., should be considered the data controller in relation to the files/processing identified in this policy, specifically in the Data Processing section.
Below are the details identifying the website owner:
Data Controller: HOZNAYO TURISTICO S.L.
Postal Address: CALLE LAS BARRERAS 2, 39716 HOZNAYO, CANTABRIA
Email Address: info@palaciodelosacevedo.com
Data Processing
The personal data requested, where appropriate, will only consist of what is strictly necessary to identify and attend to the request made by its owner, hereinafter the data subject. Furthermore, personal data will be collected for specific, explicit and legitimate purposes and will not be further processed in a way incompatible with those purposes.
The data collected from each data subject shall be adequate, relevant and not excessive in relation to the corresponding purposes for each case, and shall be updated whenever necessary. The owner of the data will be informed, prior to the collection of their data, about the general points in this policy so that they can give their express, precise and unequivocal consent to processing their data, in accordance with the following aspects.
Processing Purposes
The explicit purposes for which one of the processing operations is carried out are set out in the information clauses incorporated into each of the data collection channels (web forms, paper forms, by voice or posters and information notes).
Nevertheless, the data subject's personal data will be processed for the exclusive purpose of providing them with an effective response and attending to the requests made by the user, specified alongside the option, service, form or data collection system used by the owner.
Legal Basis
As a general rule, prior to processing the personal data, HOZNAYO TURISTICO S.L. obtains express and unequivocal consent from the data's owner, through inclusion of consent clauses in the various information collection systems.
However, in the case where the data subject's consent is not required, the legitimate basis of the processing wherein HOZNAYO TURISTICO S.L. protects itself is the existence of a specific law or regulation that authorises or requires processing the data subject's data.
Recipients
As a general rule, HOZNAYO TURISTICO S.L. does not proceed to transfer data or communication of the data to third parties, except if legally required. Nevertheless, when such data transfers or communication are necessary, the data subject is informed using informed consent clauses contained in the various means of personal data collection.
Source
As a general rule, personal data is always collected directly from the data subject, however, in certain exceptions, data may be collected through third parties, entities or services other than the data subject. Accordingly, this will be communicated to the data subject through the informed consent clauses contained in the various information collection channels and within a reasonable period of time, once the data has been obtained, and no longer than one month.
Storage Period
The information collected from the data subject will be kept as long as it is necessary to fulfil the purpose the personal data was collected for, so that, once the purpose has been fulfilled, the data will be deleted. That deletion will result in blocking the data, which will be stored only for the Public Administrations, judges and courts, in order to meet any possible liabilities arising from the processing, during the period of limitation for the latter, once this period has expired, the information shall be destroyed.
For information purposes, the legal data for the conservation of information in relation to different subjects is set out below:
DOCUMENT, PERIOD AND LEGAL REF.
Documentation concerning employment or related to social security
- Period, 4 years
- Legal. Ref. Article 21 of Royal Legislative Decree 5/2000, of 4 August, approving the revised text of the Law on Labour Infringements and Penalties.
Accounting and tax documentation for commercial purposes
- Period, 6 years
- Legal. Ref. Art. 30 Commercial Code
Accounting and tax documentation for tax purposes
- Period, 4 years
- Legal. Ref. Articles 66 to 70 General Taxation Law
Building access control
- Period. 1 month Investigation
- Legal. Ref. 1/1996 of the Spanish Data Protection Agency (AEPD)
Video surveillance
- Period. 1 month Investigation
- Legal. Ref. 1/2006 of the Spanish Data Protection Agency (AEPD) and Organic Law 4/1997
Registration data
In relation to the navigation data that can be processed through the website, in the event that data is collected that is subject to the regulations, we recommend consulting the Cookie Policy published on our website.
Rights of the data subject
The data protection regulations grant a series of rights to the data subjects or data owners, users of the website or users of HOZNAYO TURISTICO S.L.'s social network profiles. The rights for the persons concerned are as follows:
· Right of access: right to obtain information on whether their own data is being processed, the purpose of the processing, the categories of data concerned, the recipients or categories of recipients, the retention period and the source of such data.
· Right to rectification: right to obtain the rectification of inaccurate or incomplete personal data. · Right to erasure: right to obtain the erasure of the data in the following cases:
- · - CWhen the data is no longer necessary for the purpose it was collected for.
- · - When the owner withdraws consent.
- · - When the data subject objects to the processing.
- · - When they must be removed due to a legal obligation.
- · - Where the data has been collected on the basis of an information society service in accordance with the provisions in article 8 section 1 of the European Data Protection Regulation.
· Right to object: the right to object to a certain processing operation based on the data subject's consent.
· Right to restrict processing: right to restrict data processing when one of the following cases occurs:
- · - Where the person concerned contests the accuracy of the personal data, over a period of time that allows the company to verify the accuracy of the data.
- · - Where the processing is lawful and the data subject objects to the erasure of the data.
- · - When the company no longer needs the data for the purposes it was collected for, but the data subject it for formulating, exercising or defending complaints.
- · - When the data subject has objected to processing while determining if the legitimate reasons of the company prevail over those of the data subject.
· The right to portability: the right to obtain data in a structured, commonly used and machine-readable format and to transfer it to another data controller when:
- · - The treatment is based on consent.
- · - Processing is carried out by automated means.
· The right to lodge a complaint with the competent supervisory authority.
Data subjects will be able to exercise the indicated rights, addressing HOZNAYO TURISTICO S.L., in writing, sent to the following address: info@palaciodelosacevedo.com with the right they wish to exercise in the Subject line.
In this respect HOZNAYO TURISTICO S.L. will attend to their request as soon as possible and taking the foreseen periods into account in the regulations with regard to data protection.
Security
The security measures adopted by HOZNAYO TURISTICO S.L. are those required, in accordance with those established in article 32 of the GDPR In this respect, HOZNAYO TURISTICO S.L., taking the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing into account, as well as the risks of variable probability and seriousness for the rights and freedoms of natural persons, has established the appropriate technical and organizational measures to ensure the level of security appropriate for the existing risk.
In any case, HOZNAYO TURISTICO S.L. has implemented sufficient mechanisms to:
- a) Guarantee confidentiality, integrity, permanent availability and resilience of the processing systems and services.
- b) Restore availability and access to personal data quickly, in the event of a physical or technical incident.
- c) Verify, evaluate and assess, the effectiveness of the technical and organisational measures implemented on a regular basis to guarantee the security of the processing.
- d) Pseudonymising and encrypting personal data, where appropriate.