General Regulation for the Protection of Personal Data
A. GENERAL PART
This document is an integral part of the regulatory body for the protection of personal data in Torre de Palma, taking into account the General Regulation on Data Protection (2016/679), hereinafter referred to as GDPR.
Whenever this document is updated, a new version will be made available immediately after its approval.
Monitoring of compliance with this standard will be ensured by measuring the evaluation indicators for controls and / or audits (internal or external), at regular time intervals or when significant changes occur.
Scope and objective
Torre de Palma is committed to respecting best practices in the field of security and protection of personal data, having approved a demanding program for this purpose, capable of safeguarding the protection of the data made available to us by all those who in any way. relate to Torre de Palma.
All information related to an identified or identifiable natural person; an identifiable individual is a person who can be identified, directly or indirectly, such as a name, an identification number, location data, identifiers electronically or one or more specific elements of physical, physiological, genetic, mental identity, economic, cultural or social status of that natural person.
Special Categories of Personal Data
Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or the union membership of a natural person, as well as the processing of genetic data, biometric data to identify a person of unambiguously, health-related data or data on sexual life or sexual orientation.
It is the operation or a set of operations carried out on personal data or on personal data sets, by automated or non-automated means, such as the collection, registration, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, dissemination by transmission, dissemination or any other form of availability, comparison or interconnection, limitation, erasure or destruction.
Person Responsible for Processing
It is the natural or legal person, the public authority, the agency or other body that, individually or in conjunction with others, determines the purposes and means of processing personal data; where the purposes and means of such treatment are determined by Union or Member State law, the controller or the specific criteria applicable to his appointment may be provided for by Union or Member State law.
Violation of Personal Data
It is a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, preserved or subject to any other type of treatment.
It is a natural or legal person, the public authority, agency or other body that processes personal data on behalf of the person responsible for processing them.
It is a natural or legal person, the public authority, the service or body that is not the data owner, the controller, the subcontractor and the people who, under the direct authority of the controller or processor, are authorized to process personal data.
HOLDER DATA COLLECTION AND PROCESSING
As part of Torre de Palma's activity, the collection, registration, organization, conservation, use and consultation of personal data takes place. There may also be other operations or a set of operations that, under the terms of the General Data Protection Regulation, are referred to as “personal data processing”.
The personal data collected concerns not only employees but also suppliers, candidates and customers.
Torre de Palma collects personal data, namely, the data required for reservations and billing, as well as the personal data of employees for legal purposes of employability.
When collecting Personal Data, Torre de Palma provides data subjects with detailed information about the nature of the data collected and about the purpose and treatment that will be carried out in relation to personal data, as well as the information mentioned in the clause relating to the right of access to personal data.
These subcontracted entities will not be able to transmit the data of the holder to other entities without Torre de Palma having previously given written authorization to do so, and they are also prevented from contracting other entities without prior authorization.
Torre de Palma is committed to subcontracting only entities that present sufficient guarantees of execution of the appropriate technical and organizational measures, in order to ensure the defense of the rights of the holder. All subcontracted entities are linked to Torre de Palma through a written contract which regulates, namely, the object and duration of treatment, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties.
When collecting personal data, Torre de Palma provides the data subject with information about the categories of subcontracted entities that, in the specific case, can carry out data processing on their behalf.
DATA COLLECTION CHANNELS
Torre de Palma can collect data directly (i.e., directly from the holder) or indirectly (i.e., through partner entities or third parties). Collection can be done through the following channels:
Direct collection: in person, by phone or by email;
Indirect collection: through partners or reservation companies and official entities.
GENERAL PRINCIPLES APPLICABLE TO THE HOLDER'S DATA PROCESSING
In terms of general principles relating to the processing of personal data, Torre de Palma undertakes to ensure that the data of the holder processed by him are:
- Subject to lawful, fair and transparent treatment in relation to the data subject;
- Collected for specific, explicit and legitimate purposes, not later being treated in a way incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated;
- Accurate and updated whenever necessary, taking all appropriate measures so that the inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
- Kept in a way that allows the identification of the data subject only during the period necessary for the purposes for which the data are processed;
- Treated in a way that guarantees their safety, including protection against their unauthorized or illicit treatment and against their accidental loss, destruction or damage, taking appropriate technical or organizational measures.
The data processing carried out by Torre de Palma is lawful when at least one of the following situations occurs:
- The data subject has given his explicit consent to the processing of the data subject's data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual steps at the request of the data subject;
- Treatment is necessary for the fulfilment of a legal obligation to which Torre de Palma is subject;
- Processing is necessary to defend the vital interests of the data subject or another natural person;
- Processing is necessary for the purposes of the legitimate interests pursued by Torre de Palma or by third parties (unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail).
Torre de Palma undertakes to ensure that the data of the holder is processed only under the conditions listed above and with respect for the principles mentioned above.
When the data subject's processing is carried out on the basis of the data subject's consent, the data subject has the right to withdraw his consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the treatment performed by us based on the consent previously given by the data subject.
The period of time during which the data is stored and preserved varies according to the purpose for which the information is processed.
Effectively, there are legal requirements that require data to be kept for a minimum period of time. Thus, and whenever there is no specific legal requirement, the data will be stored and preserved only for the minimum period necessary for the purposes that motivated its collection or further processing, after which they will be eliminated.
USE AND PURPOSES OF THE HOLDER'S DATA PROCESSING
In general terms, Torre de Palma uses the data subject's data for various purposes, namely billing and collection to the data subject, for marketing purposes and for the management of human resources and recruitment of employees.
The data of the holder collected by Torre de Palma are not shared with third parties without the consent of the holder, except for the situations referred to in the following paragraph. However, in the event that the holder contracts with services from Torre de Palma that are provided by other entities responsible for the processing of personal data, the data of the holder may be consulted or accessed by those entities, insofar as this is necessary for the provision of the said services.
IMPLEMENTED TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES
To guarantee the security of the data of the holder and the maximum confidentiality, Torre de Palma treats the information provided to him in an absolutely confidential manner, in accordance with his internal security and confidentiality policies and procedures, which are updated periodically according to the needs, as well as in accordance with the legally provided terms and conditions.
Depending on the nature, scope, context and purposes of processing the data, as well as the risks arising from the treatment for the rights and freedoms of the data subject, Torre de Palma undertakes to apply both when defining the means of treatment and at the time of the treatment itself, the technical and organizational measures necessary and adequate to protect the data of the holder and to comply with legal requirements.
It also undertakes to ensure that, by default, only the data that is necessary for each specific purpose of treatment are processed and that this data is not made available without human intervention to an undetermined number of people.
In terms of general measures, Torre de Palma adopts the following:
- Regular audits to assess the effectiveness of the technical and organizational measures implemented;
- Awareness and training of staff involved in data processing operations;
- Mechanisms capable of ensuring the confidentiality, availability and permanent resilience of information systems;
- Mechanisms that ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident;
TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
The personal data collected and used by Torre de Palma are not made available to third parties established outside the European Union. If, in the future, this transfer takes place, Torre de Palma undertakes to ensure that the transfer complies with the applicable legal provisions, namely with regard to determining the suitability of that country with regard to data protection and the requirements applicable to such transfers.
B. RIGHTS OF DATA HOLDERS
RIGHT TO INFORMATION
Information provided to the data subject by Torre de Palma (when data is collected directly from the data subject):
- Torre de Palma's identity and contact details, responsible for processing and, if applicable, his representative;
- The purposes of the processing for which the personal data are intended, as well as, if applicable, the legal basis for the processing;
- If the processing of the data is based on legitimate interests of Torre de Palma or a third party, an indication of such interests;
- If applicable, the recipients or categories of recipients of personal data;
- If applicable, an indication that personal data will be transferred to a third country or an international organization, and whether or not there is an adequacy decision taken by the Commission or reference to appropriate or appropriate transfer guarantees;
- Term of conservation of personal data;
- The right to request Torre de Palma access to personal data, as well as its rectification, erasure or limitation, the right to object to the processing and the right to data portability;
- If the processing of the data is based on the consent of the holder, the right to withdraw the consent at any time, without compromising the lawfulness of the treatment carried out based on the consent previously given;
- The right to file a complaint with the CNPD (Comissão Nacional de Proteção de Dados) or other supervisory authority;
- Indication whether or not the provision of personal data constitutes a legal or contractual obligation, or a necessary requirement to conclude a contract, as well as whether the holder is obliged to provide personal data and the possible consequences of not providing such data;
- If applicable, the existence of automated decisions, including profiling, and information regarding the underlying logic, as well as the importance and expected consequences of such treatment for the data subject.
If the data of the data subject is not collected directly by Torre de Palma from the data subject, in addition to the information referred to above, the data subject is additionally informed about the categories of personal data being processed and, as well, about the origin of the data. and eventually come from publicly accessible sources.
In case Torre de Palma intends to proceed with the further processing of the data of the data subject for a purpose other than that for which the data were collected, before such processing will provide the data subject with that purpose and any other pertinent information, under the terms referred to above.
Procedures and measures implemented to fulfil the right to information:
- The aforementioned information is provided in writing (including by electronic means) by Torre de Palma to the holder prior to the processing of the personal data in question. Under the terms of the applicable law, Torre de Palma has no obligation to provide the holder with this information when and to the extent that the holder is already aware of it.
- Information is provided by Torre de Palma free of charge.
RIGHT OF ACCESS TO PERSONAL DATA
Torre de Palma guarantees the means by which the data subject can access his personal data.
The data subject has the right to obtain confirmation from Torre de Palma that the personal data concerning him are or are not subject to treatment and, if applicable, the right to access his personal data and the following information:
- The purposes of data processing;
- The categories of personal data in question;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, namely recipients established in third countries or belonging to international organizations;
- The period of conservation of personal data;
- Right to request rectification, deletion or limitation of the processing of personal data, or the right to object to such processing;
- Right to file a complaint with CNPD or another supervisory authority;
- If the data has not been collected from the holder, the available information on the source of that data;
- The existence of automated decisions, including the definition of profiles, and information related to the underlying logic, as well as the importance and expected consequences of such treatment for the data subject;
- Right to be informed about adequate guarantees associated with the transfer of data to third countries or international organizations.
- Upon request, Torre de Palma will provide the data subject, free of charge, with a copy of their data, which are being processed. The supply of other copies requested by the holder may incur administrative costs.
RIGHT TO RECTIFY PERSONAL DATA
The data subject has the right to request, at any time, the rectification of his Personal data and, as well, the right to have his incomplete personal data completed, including by means of an additional declaration.
In case of rectification of the data, Torre de Palma informs each recipient to whom the data has been transmitted the respective rectification, unless such communication proves impossible or implies a disproportionate effort for Torre de Palma.
RIGHT TO DELETE PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
The data subject has the right to obtain, by Torre de Palma, the deletion of his data when one of the following reasons applies:
- The data of the holder is no longer necessary for the purpose that motivated its collection or treatment;
- The holder withdraws the consent on which the data processing is based and there is no other legal basis for such processing;
- The holder opposes treatment under the right of opposition and there are no prevailing legitimate interests that justify the treatment;
- If the holder's data is processed illegally;
- If the data of the holder has to be deleted in order to comply with a legal obligation to which Torre de Palma is subject.
Under applicable legal terms, Torre de Palma is under no obligation to delete the holder's data to the extent that the processing proves necessary to fulfill a legal obligation to which it is subject or for the purposes of declaring, exercising or defending a right of Torre de Palma in a lawsuit.
In case of data deletion, Torre de Palma informs each recipient / entity to whom the data has been transmitted the respective deletion, unless such communication proves impossible or involves a disproportionate effort to Torre de Palma.
When Torre de Palma has made the data of the holder public and is obliged to delete them under the right of erasure, it undertakes to ensure that measures are reasonable, including technical measures, taking into account the available technology and costs of its application, to inform those responsible for the effective processing of personal data that the holder has requested them to delete the links to those personal data, as well as copies or reproductions thereof.
RIGHT TO LIMIT THE PROCESSING OF PERSONAL DATA
The data subject has the right to obtain, obtain part of Torre de Palma, the limitation of the processing of the data of the holder, if one of the following situations applies (the limitation consists of inserting a mark in the personal data kept in order to limit its treatment in the future):
- If you challenge the accuracy of personal data, for a period that allows Torre de Palma to verify its accuracy;
- If the processing is illegal and the data subject opposes the deletion of the data, requesting, on the other hand, to limit its use;
- If Torre de Palma no longer needs the data subject's data for processing purposes, but these data are required by the data subject for the purposes of declaring, exercising or defending a right in a judicial process;
- If the holder opposes the treatment, until it is verified that Torre de Palma's legitimate reasons prevail over those of the holder.
- When the data of the holder is subject to limitation, they can only, with the exception of conservation, be processed with the consent of the holder or for the purpose of declaring, exercising or defending a right in a judicial process, defending the rights of another natural person or collective, or for reasons of public interest legally provided for.
The data subject who has obtained a limitation on the processing of his data in the cases referred to above will be informed by Torre de Palma before the limitation on processing is lifted.
In case of limitation in the processing of data, Torre de Palma will communicate to each recipient to whom the data have been transmitted the respective limitation, unless such communication proves impossible or involves a disproportionate effort.
RIGHT TO PORTABILITY OF PERSONAL DATA
The data subject has the right to receive personal data concerning him / her and which has provided Torre de Palma, in a structured format, in common use and automatic reading, and the right to transmit this data to another controller, if:
- Treatment is based on consent or a contract to which the holder is a party; and
- The treatment is carried out by automated means.
The portability right does not include inferred data or derived data, i.e., personal data that is generated by Torre de Palma as a consequence or result of the analysis of the data being processed.
The data subject has the right to have personal data transmitted directly between controllers, whenever technically possible.
RIGHT OF OPPOSITION TO TREATMENT
The holder has the right to object at any time, for reasons related to his particular situation, to the processing of personal data concerning him based on the exercise of legitimate interests pursued by Torre de Palma or when the processing is carried out for purposes other than those for which personal data were collected, including the definition of profiles, or when personal data are processed for statistical purposes.
Torre de Palma will stop processing the data of the holder, unless it presents compelling and legitimate reasons for such treatment that prevail over the interests, rights and freedoms of the holder, or for the purposes of declaring, exercising or defending a right of Torre de Palma in judicial process.
When the data of the data subject are processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of data concerning him for the purposes of said marketing, which covers the definition of profiles to the extent where it is related to direct marketing. If the holder opposes the processing of his data for the purposes of direct marketing, Torre de Palma stops processing the data for that purpose.
The data subject also has the right not to be subject to any decision taken exclusively on the basis of automated processing, including the definition of profiles, which has an effect on his legal sphere or which significantly affects him in a similar way, unless the decision:
- It is necessary for the conclusion or execution of a contract between the holder and Torre de Palma;
- It is authorized by legislation to which Torre de Palma is subject; or
- It is based on the explicit consent of the data subject.
PROCEDURES FOR THE EXERCISE OF RIGHTS BY THE HOLDER
The right of access, the right to rectification, the right to erase, the right to limit, the right to portability and the right to object can be exercised by the data subject by contacting Torre de Palma and filling out the respective form.
Torre de Palma will respond in writing (including by electronic means) to the holder's request within a maximum period of one month from receipt of the request, except in cases of special complexity, where this period may be extended up to two months.
If the requests submitted by the holder are manifestly unfounded or excessive, namely due to their repetitive nature, Torre de Palma reserves the right to charge administrative costs or refuse to comply with the request.
PERSONAL DATA BREACHES
In the event of a data breach and insofar as such breach is likely to imply a high risk to the holder's rights and freedoms, Torre de Palma undertakes to report the breach of personal data to CNPD within 72 hours of knowledge of the incident.
Under legal terms, communication to the holder is not required in the following cases:
- If Torre de Palma has applied appropriate protection measures, both technical and organizational, and these measures have been applied to the personal data affected by the personal data breach, especially measures that make the personal data incomprehensible to any unauthorized person to access that data, such as encryption;
- If Torre de Palma has taken subsequent measures to ensure that the high risk to the holder's rights and freedoms is no longer likely to materialize; or
- If the communication to the holder implies a disproportionate effort for Torre de Palma. In that case, Torre de Palma will make a public communication or take a similar measure through which the holder will be informed.
C. FINAL PART
APPLICABLE LAW AND JURISDICTION