Data Protection and Privacy Policy

SALOMON SA RIERA S.L. (hereinafter, the Entity) is committed to due diligence and compliance with Data Protection regulations.

Below is detailed information on the confidentiality and personal Data Protection policy in compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR), and Article 11 of Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD).

Details of the Data Controller and contact details of the Data Protection Officer (DPO):

• Identity: SALOMON SA RIERA S.L.
• Address - Postcode: Passeig de Gràcia, 98, 3º 1ª – 08008 Barcelona
• Telephone: 935 579 797
• Email: info@hotelfincavictoria.com
• DPO contact details: dpo@majestichotelgroup.com
• Data Protection Channel: www.corporate-line.com/cnormativo-hotelfincavictoria

Purposes of the processing

The Entity will process the information provided by data subjects for the following purposes:

• To manage your assistance, visit and meeting at our facilities.
• To manage the provision and delivery of contracted hotel and tourism services, including, among others:
  • Offline and online booking process.
  • Registration as a guest of Finca Victoria Hotel & Spa.
  • Management and improvement of your stay.
  • 24-hour reception service.
  • Parking service.
  • Food and beverage service.
  • Wi-Fi service.
  • Booking of meeting rooms, conferences and events.
• To manage any type of request, booking, suggestion or enquiry submitted by data subjects.
• To manage your registration in the club or loyalty programme and offer you special benefits.
• Informational and commercial communications: processing your data in order to inform you about activities, items of interest and general information related to our activity and the contracted services.
• To manage data provided by job applicants through their Curriculum Vitae (CV) or any other means for selection and recruitment purposes.
• To ensure the security of offices, facilities and individuals through access controls, video surveillance systems and other access control/identification systems.
• To comply with the legal provisions applicable to the Entity and its activities in matters relating to health, equality and occupational risk prevention.
• To manage and monitor the operation of the mechanisms, policies and internal protocols established by the Entity for regulatory compliance purposes and for managing the whistleblowing channels established for this purpose.
• Any other processing operations that may be applicable to us for due compliance with the regulations and official/sectoral requirements to which our activity is subject.

For the proper fulfilment and development of your assistance and the management of the aforementioned purposes, the processing of your data for the relevant purposes mentioned above will be carried out in strict compliance with Data Protection regulations and the Policy detailed herein. You may exercise your rights at any time (see the specific section).

Data retention criteria

• Management of services contracted with the Entity: the personal data provided in contracts, offers and/or service proposals, as well as those of other persons whose involvement may be necessary, will be kept for as long as the contracted services remain in force. Once the provision of the contracted service(s) has ended, personal data will be retained where liabilities may arise vis-à-vis the Entity and/or in compliance with other regulatory frameworks applicable to the Entity or with a law requiring the retention of such data. Personal data will be kept in such a way as to allow identification and the exercise of the Rights of data subjects and under the technical, legal and organisational measures necessary to guarantee their confidentiality and integrity.
• Curriculum Vitae management: as a general rule, the Entity keeps your Curriculum Vitae for a maximum period of one year; once this period has elapsed, it will be automatically destroyed, in compliance with the principle of data quality.
• Employment Contract management: personal data will in any case be retained for as long as the employment relationship remains in force and, once it has ended, in cases where liabilities may arise between the parties and where required by a law.
• Others: the rest of the data and information provided by the user by any means will be retained for as long as necessary to fulfil the purpose for which they were collected.

Legal basis

The legal basis enabling the Entity to process the personal data of users, customers and prospective customers is as follows:

1. The consent of data subjects for the processing and management of any request for information or enquiry about our services.
2. The consent given by job applicants for selection and recruitment purposes.
3. The framework of pre-booking, provision and/or contracting of services with the Entity.
4. The legitimate interest in sending you informational and commercial communications and/or promotional offers related to the Entity’s activity and the contracted services by email or any other means.
5. Compliance with legal obligations and internal regulatory compliance procedures.
6. The legitimate interest in ensuring the security of offices, facilities and individuals.

Recipients

The Entity, whenever necessary to achieve the purposes described above, will share personal data with the following third parties:

• Collaborating entities: when their involvement is required במסגרת a contract and/or agreement for the provision of products and services established with our customers.
• Suppliers: personal data may be disclosed to different suppliers due to the provision of services by them requiring access to and processing of personal data.
• Legal representatives: if their intervention is required in relation to legal proceedings.
• Public administrations or bodies in compliance with applicable regulations (labour, occupational risk prevention, tax, accounting, data protection, etc.).
• Courts and Tribunals and the State Security Forces and Bodies: personal data will be disclosed to these entities whenever officially required. The personal data of guests and customers provided when registering at the Hotel will be subject to documentary registration and information obligations, in compliance with the provisions of Article 25 of Organic Law 4/2015, of 30 March, on the protection of public security.
• Companies of the MAJESTIC GROUP for the following purposes: tax and accounting management of the Hotel, reservation management, administration of the Hotel’s websites, portals and social media, technical direction of the Hotel’s advertising, marketing and promotional activities, including the sending of commercial communications, control and management of the Hotel’s debt, collaboration in the contracting of services and supplies necessary for the Hotel, collaboration in the search for candidates for vacant job offers, as well as all those activities involving collaboration and joint management among the MAJESTIC GROUP companies.

Source

Personal data are obtained directly from data subjects and our collaborators, as well as from online booking platforms. The categories of personal data provided to us are the following:

• Identification and contact details.
• Postal or electronic addresses.
• Bank details.
• Data provided and/or consented to by the data subjects themselves, related to and necessary for the management and provision of the requested service.

Rights

Right of Access, Rectification and Erasure: Data subjects have the right to obtain confirmation as to whether or not the Entity is processing personal data concerning them. Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or request their erasure when, among other reasons, the data are no longer necessary for the purposes for which they were collected.

Right to Restriction and Objection: In certain circumstances, data subjects may request the restriction of the processing of their data, in which case we will only retain them for the exercise or defence of claims. In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. In such a case, the Entity will stop processing the data, except for compelling legitimate grounds or for the exercise or defence of possible claims.

Right to withdraw consent: Data subjects have the right to withdraw their consent at any time, except in the case of processing of personal data provided for by Data Protection regulations or necessary for the provision of the contracted service, which does not require such consent. However, this withdrawal has no retroactive effect and therefore will not affect the lawfulness of processing based on consent previously given.

These rights may be exercised through our Data Protection Channel, the access details of which are set out at the beginning of this Policy.

Security and Control Measures

General

In compliance with data protection regulations, the Entity will process personal data by applying the appropriate technical, legal, organisational and security measures in order to guarantee the confidentiality and integrity of the information it manages in accordance with current regulations. We would appreciate it if you would report to the Data Protection Officer, through the contact details / Channel established in this Privacy Policy, any security risk of which you have evidence or knowledge that may compromise the integrity and confidentiality of personal data and/or confidential information, so that the necessary measures can be adopted to prevent unauthorised processing, loss, destruction or accidental damage.

Cybersecurity

As a specific concept complementary to the above, the Entity applies cybersecurity measures to prevent and manage possible attacks and fraud by cybercriminals that threaten the privacy and protection of the data that our Entity processes and accesses within the scope of its activities and operations. In this regard, we wish to warn that in the event of possible risk situations arising from communications whose content and/or format generate doubts as to their authenticity, we recommend ignoring them and contacting the Data Protection Officer through the contact details indicated in this Privacy Policy. Likewise, any request originating from our Entity concerning changes to payment methods, requests for data or contact persons or confidential (non-public) information, bank details and/or credit card details and/or other official data should not be dealt with without direct confirmation from our Entity through an alternative means. We appreciate and need your collaboration in reporting and notifying us of any notification of these types of requests and other possible cyberattack risk situations in which our Entity may be used, as well as any possible security risk of which you may become aware.

Data Protection Channel

The Entity has implemented a Channel, reflecting the highest commitment, rigour and professionalism in terms of security, expertise, independence and knowledge in handling the communications received. The Channel, which includes use in the field of Data Protection, has been implemented through a web platform developed and managed by an independent external expert, in order to provide and guarantee the aforementioned commitments.

Through the Channel, you may communicate and process the exercise of your Rights (see previous section) and report any indication or knowledge you may have of possible security breaches, cyberattacks and/or possible breaches or irregularities regarding Data Protection regulations, this Entity Policy and all the matters mentioned above regarding confidentiality and business secrets. The access details for the Channel are set out at the beginning of this Policy.

Supervisory authority

In the event of any disagreement with the Entity regarding the processing of your data, you have the right to lodge a complaint with the corresponding Data Protection Supervisory Authority. In Spain, this Authority is the Spanish Data Protection Agency (www.aepd.es).

Customer care and support

Data subjects may contact the Entity with any questions regarding the processing of their personal data or the interpretation of our Policy by contacting the Data Protection Officer (DPO) at the address indicated at the beginning of this Policy.