Privacy Policy
RESPONSIBLE FOR THE TREATMENT
Q SENSES HOTELS SL with CIF B-90394297, with address in Tomares (Seville), Puerta Aljarafe Building, Parque Aljarafe s/n, represented by José Antonio Garcés Cabrera, in his capacity as Data Protection Delegate, with contact telephone number 954.25 .73.25 and email protecciondatos@grupoq.net .
The aforementioned report has been prepared based on the information provided by the Data Controller.
PRIVACY POLICY
As you surely know, the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016 regarding the protection of personal data (hereinafter RGPD) and Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), highlights the need to reinforce the levels of security and protection of personal data. We want to inform you that we comply with all the requirements that said legislation demands and that all data, under our responsibility, are being treated in accordance with legal requirements and maintaining the appropriate security measures that guarantee their confidentiality. However, given the legislative developments that have occurred, we believe it is appropriate to inform you of the following privacy policy:
1) Who is responsible for processing your data?
- Identity: Q SENSES HOTELS SL
- Postal Address: Puerta Aljarafe Building, Parque Aljarafe s/n (CP 41940 TOMARES) SEVILA
- Telephone: + 34 954-25-73-25
- Email: protecciondatos@grupoq.net
2) What are your rights?
- Anyone has the right to obtain confirmation as to whether we are processing personal data that concerns them or not.
- Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
- It is not possible to exercise the right to rectification in the case of video surveillance processing since due to the nature of the data - images taken from reality that reflect an objective fact - it would be the exercise of a right of impossible content.
- In certain circumstances, interested parties may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims.
- In certain circumstances and for reasons related to their particular situation, interested parties may object to the processing of their data, in which case the Data Controller will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims. . In this sense, and in relation to video surveillance images, the exercise of the right to object poses enormous difficulties. If this is interpreted as the impossibility of taking images of a specific subject within the framework of video surveillance facilities linked to private security purposes, satisfaction would not be possible to the extent that security protection prevails.
- By virtue of the right to portability, interested parties have the right to obtain the personal data that concerns them in a structured, commonly used and machine-readable format and to transmit it to another person responsible.
- In the event that you have given consent for a specific purpose, you have the right to withdraw consent at any time, without affecting the legality of the processing based on consent prior to its withdrawal.
3) How can rights be exercised?
3.1) Where to go to exercise your rights:
If you wish to exercise your rights, please go to the channel established for the exercise of rights by the data controller protecciondatos@grupoq.net so that we can respond to your request in a managed manner.
3.2) Information required to exercise your rights:
- To exercise your rights, we need to prove your identity and the specific request you make to us, as we request the following information:
- Documented information (written/email) of the request in which the request is specified.
- Proof of identity as the owner of the data subject to exercise (Name, surname of the interested party and photocopy of the DNI of the interested party and/or of the person who represents him or her, as well as the document accrediting such representation (legal representative, if applicable).
- In the case of exercising rights related to data of deceased persons: Copy of:
- Family Book or Civil Registry in which the kinship or de facto relationship with the deceased is recorded and/or,
- Will in which the applicant is declared as heir and/or,
- Express designation of the requesting person or institution by the deceased.
- Documentation that certifies the legal representation of the deceased.
- In the case of exercising rights of rectification and/or deletion: Responsible Declaration of the applicant in which he certifies that he has the consensus of the rest of the people linked to the deceased for family or de facto reasons, as well as his heirs to carry out said request. .
- When the data controller has reasonable doubts regarding the identity of the natural person making the request, they may request that the additional information necessary to confirm the identity of the interested party be provided.
- Address for notification purposes, date and signature of the applicant (in the case of writing), or full name and surname (in the case of email), or validation of the request in a private area of the communication channel with a personal authentication key. his identity)
- When exercising the right of rectification recognized in article 16 of the GDPR, the affected party must indicate in their request what data they refer to and the correction to be made. It must accompany, when necessary, documentation justifying the inaccuracy or incompleteness of the data being processed.
- Likewise, when we process a large amount of data relating to the affected party and exercise their right of access without specifying whether it refers to all or part of the data, the controller may request, before providing the information, that the affected party specify the data. or processing activities to which the request refers.
3.3) General Procedure for the Exercise of your rights:
- Once we have received the required information, we will proceed to respond to your request in accordance with the organization's general procedure for exercising rights:
- The data controller will provide the data subject with information relating to its actions on the basis of a request pursuant to articles 15 to 22 (Rights of the data subject), and in any case within one month of receipt of the data. application.
- This period may be extended for another two months if necessary, taking into account the complexity and number of applications.
- The person responsible will inform the interested party of any such extensions within a period of one month from receipt of the request, indicating the reasons for the delay.
- Where the interested party submits the request by electronic means, the information will be provided by electronic means where possible, unless the interested party requests that it be provided otherwise.
- Only in cases in which the data controller's processing systems allow it, the right of access may be provided through a remote, direct and secure access system to personal data that guarantees, permanently, access to its entirety. For these purposes, the communication by the person responsible to the affected person of the way in which he or she can access said system will be sufficient to consider the request to exercise the right to be fulfilled. However, the interested party may request from the Data Controller information referring to the points provided for in article 15.1 of the RGPD that was not included in the remote access system.
- If the data controller does not process the interested party's request, it will inform you without delay, and no later than one month after receipt of the request, of the reasons for its failure to act and of the possibility of submitting a claim to an authority. of control and to exercise judicial actions.
- The information provided will be free of charge, except for a reasonable fee for administrative costs. When the affected party chooses a means other than the one offered that entails a disproportionate cost, the request will be considered excessive, so the affected party will assume the excess costs that his choice entails. In this case, only the Data Controller will be required to satisfy the right of access without undue delay.
- The data controller may refuse to act on the request, although he or she will bear the burden of demonstrating the manifestly unfounded or excessive nature of the request. For the purposes established in article 12.5 of the RGPD, the exercise of the right of access on more than one occasion during a period of six months may be considered repetitive, unless there is legitimate cause for it.
- In cases in which rectification or deletion is carried out, your data will be blocked: The blocking of data consists of the identification and reservation of the same, adopting technical and organizational measures, to prevent its processing, including its visualization, except for making the data available to judges and courts, the Public Prosecutor's Office or the competent Public Administrations, in particular the data protection authorities, for the claim of possible responsibilities derived from the processing and only for the period of prescription thereof. After this period, the data will be destroyed. The blocked data may not be processed for any purpose other than that indicated above. (art. 16 RGPD and art.32 LOPDGDD).
- When the deletion results from the exercise of the right of opposition in accordance with article 21.2 of the RGPD, the Data Controller may retain the identification data of the affected person necessary in order to prevent future processing for direct marketing purposes. In cases where you do not want your data to be processed for the sending of commercial communications, we refer you to the existing advertising exclusion systems, in accordance with the information published by the competent control authority (AEPD) on its electronic headquarters www. aepd.es
- In cases where the processing of personal data is limited, it will be clearly stated in the information systems of the Data Controller.
- Given the existence of a certain debt, due and payable, a communication is sent to the debtor at the time of requesting payment about the possibility of inclusion in said systems (delinquency treatments of the organization), indicating those in which that participates (collection management entities for the management of the relevant claim...) in the event that the debt is not resolved within a maximum period of 15 days from the notification of the insolvency, you are informed about the possibility of exercising the established rights in articles 15 to 22 of the RGPD within thirty days following notification of the debt to the system, the data remaining blocked during that period.
- People linked to the deceased for family or de facto reasons, as well as their heirs, may contact the person responsible or in charge of processing in order to request access to their personal data and, where appropriate, its rectification or deletion. As an exception, the people referred to in the previous paragraph will not be able to access the deceased's data, nor request its rectification or deletion, when the deceased person has expressly prohibited it or as established by law. This prohibition will not affect the right of the heirs to access the patrimonial data of the deceased.
- In order to comply with current regulations on video surveillance Inst 1/2006 of the AEPD, we inform you that the conservation period for recordings is 1 month from their capture, as we will not be able to respond to requests formalized in later periods. Likewise, to avoid affecting the rights of third parties, in the case of an access request, we will proceed to issue a certificate in which, with the greatest possible precision and without affecting the rights of third parties, the data that has been subject to treatment. Ex. “Your image was registered in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your access to and exit from the facility.”
4) What claim methods exist?
If you consider that your rights have not been duly taken care of, you have the right to file a claim with the competent data protection authority (www.agpd.es)
ADDITIONAL INFORMATION PROCESSING OF CONTACT DATA
1) For what purpose do we process the personal data you provide us?
- Attention to your queries and requests: Response Management to Queries, Claims or Incidents, Requests for technical or corporate information, Resources and/or Activities, and if you have consented, for the purposes described in the additional consents
- Contact with the interested party through the means of communication provided (email, postal address and/or telephone) in order to manage the queries sent to us through the channels enabled for this purpose, manage notices and coordinate actions derived from the services requested from us by people related to the company or the group to which it belongs and/or by data processors related to it for the legitimate and/or consented purposes.
- Registration management for conferences and events of the company or the Group to which it belongs
- Newsletter subscription management.
- The contact and/or sending of satisfaction surveys, newsletters and corporate information and offers and promotions of products and services of the organization and of hotels and activities in order to evaluate the quality of our processes and provide you with service offers of your interest through the means of communication provided, if you have consented
- The capture and subsequent publication of audiovisual and/or graphic material in which you may be involved in corporate media (for example and not limited to, website, social networks, newsletters, activity report, reports, presence in the media) and/or other means of public communication (sectoral publications and/or reports in the written press, TV, etc.), such as dissemination of the results of the activity, promotion and dissemination, management of campaigns, activities and events, if applicable. spoiled
- Associated management, including its prior communication, that could arise from the development of any structural modification operation of companies or the contribution or transfer of a business or branch of business activity, provided that the treatments were necessary for the successful completion of the operation. and guarantee, where appropriate, continuity in the provision of services.
- Inclusion in the whistleblower channel systems of the data associated with the reporting (even anonymously) of the commission within the organization or the actions of third parties that contracted with it, of acts or conduct that could result contrary to the general or sectoral regulations that may be applicable.
2) How long do we keep the data provided?
- The data provided will be kept as long as the relationship of legality of treatment is maintained and once its validity has expired, its deletion is not requested by the interested party, with the exception of its conservation for the formulation, exercise or defense of claims by the data controller. or with a view to the protection of the rights of another natural or legal person and/or for reasons of legal obligation.
- The data processed for the sending of commercial communications will be kept until you revoke the consent granted.
- The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the appropriateness of initiating an investigation into the reported events, as well as subsequently as evidence of the operation of the crime prevention model. commission of crimes by the legal entity, in accordance with the provisions of article 24 of the LOPDGDD.
3) What is the legitimacy for the processing of your data?
- The legal basis for the processing of your data is the fulfillment of the request you make to us. The data requested is necessary for the correct provision of the same.
- Satisfy a legitimate interest of the Controller: Cases of legitimate interest in which the controller could be a harmed party and the processing and communication of the non-compliant data to third parties is necessary in order to manage regulatory compliance and defend the interests of the controller. of treatment, as well as assumptions of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Processing of contact data and individual entrepreneurs; Article 20. Credit information systems; Article 21. Treatments related to the performance of certain commercial operations (corporate restructuring or business transfers) Article 22. Treatments for video surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Information systems for internal complaints).
- The consent of the interested party that has been provided to us unequivocally through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship based on the contact channel. .
4) To which recipients can your data be communicated?
- Organizations or people directly hired by the Data Controller to provide services linked to the processing purposes: Collaborators, Subcontracted Entities for the execution of projects/services subject to request or consultation.
- Complaints Channel (Complaints about violations of regulations and code of conduct are transmitted to the Regulatory Compliance Unit): Access to the data contained in these systems will be limited exclusively to those who, whether or not included within the entity, develop the internal control and compliance functions, or to those in charge of processing that may be designated for this purpose. However, it will be lawful for other people to access it, or even communicate it to third parties, when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, where appropriate, may apply.
- Security Forces and Bodies: To the extent that a justified right of access is required in the investigation of a regulatory breach.
- Others (specify): Media and specialized magazines for the Promotion of the Organization's Activities
5) Under what guarantees are your data communicated?
The communication of data to third parties is carried out to entities that certify the provision of a Personal Data Protection System in accordance with current legislation.
6) How have we obtained your data?
The interested party himself, through the communication sent and/or through professional social networks.
7) What category of data do we process?
Identification and contact data, those related to and/or provided with the Query, Request for technical or corporate Information, Resources and/or Activities, Claims or Incidents that you make to us, as well as the personal data of third parties that you may provide to us.
8) How is your personal data stored securely?
Vico Black98 SL takes all necessary measures to keep your personal data private and secure. Only authorized persons, authorized personnel of data processors or authorized personnel of hotels and activities (who have a legal and contractual obligation to store all information securely) have access to your personal data. All staff who have access to your personal data are required to agree to respect the Hotel's Privacy Policy and data protection regulations, and all employees of Third Parties who have access to your personal data are required to sign the confidentiality commitments. in the terms established in current legislation. In addition, it is contractually ensured that third party companies that have access to your personal data keep it securely. To ensure that your personal data is protected, Q SENSES HOTELS SL has an IT security environment and takes the necessary measures to prevent unauthorized access.
Vico Black 99 SL has entered into agreements to ensure that we process your personal data correctly and in accordance with data protection law. These agreements reflect the respective roles and responsibilities in relation to you, and consider which entity is in the best position to meet your needs. These agreements do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.
ADDITIONAL INFORMATION TREATMENT OF CUSTOMER DATA:
1) For what purpose do we process the personal data you provide us?
- Internal use, carrying out operations and administrative, economic and accounting management derived from the relationship with the assignor (commercial and/or contractual relationship associated with the management of lodging, restaurant and event services)
- Offer and Commercial Management of the organization and its services «In order to provide interested parties with offers of services of their interest»
- Management of Contracting and provision of services of the organization, as well as compliance with contractual requirements
- Management of Response to Queries, Claims or Incidents, Requests for Information, Resources and/or Activities
- Promotion and Dissemination of the Organization: The Preparation, Publication and Communication of Statistics, Activity Reports, Success Stories and Information associated with the communication and transparency of its Activity, as well as the Recording and Publication of Dissemination Material, Communication and Campaign Management , Activities, Events, Contests and/or Recording and Publication, in the organization's communication media (including website and social networks) and/or other means of public communication, of videos, recordings and photos associated with the activities carried out by the organization. organization that can incorporate people in the development of their functions "In order to provide interest groups with information about the organization"
- Sending News Bulletins, Activity Reports and Information associated with the Organization's Activity (Newsletter)
- Quality Management of processes and activities, as well as the evaluation of the satisfaction/perception and performance results of the organization's interest groups. Satisfaction surveys
- Providing evidence of technical solvency in presenting offers and/or requests, management and justification of campaigns, activities, events, contests, projects and subsidies in which the organization participates
- Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, with access controls to facilities, information systems and printing of documentation for all data being able to be established. of a personal nature under the responsibility of the organization and therefore for all the information systems of said entity, as well as the controls related to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that could occur, as well as breaches of labor standards, crimes or illicit behavior.
- Profile Analysis «In order to be able to offer you products and services according to your interests, as well as improve your user experience, we will create a “profile”, based on the information provided. No automated decisions will be made based on said profile.
- Asset Solvency and Credit Assessment
- Contact Management / Agenda
- Statistical, historical purposes
- Management of Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance therein, investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for non-compliance with safety regulations.
- The management and audit of quality, environmental management and/or occupational safety management of the organization's processes and facilities
- Sending offers and promotions through electronic communications. Sending Christmas Greetings.
- Consult the advertising exclusion systems that could affect your actions, excluding from the processing the data of those affected who have expressed their opposition or refusal to it through consultation of the advertising exclusion systems published by the competent control authority.
- Associated management, including its prior communication, that could arise from the development of any structural modification operation of companies or the contribution or transfer of a business or branch of business activity, provided that the treatments were necessary for the successful completion of the operation. and guarantee, where appropriate, continuity in the provision of services.
- Inclusion in the whistleblower channel systems of the data associated with the reporting (even anonymously) of the commission within the organization or the actions of third parties that contracted with it, of acts or conduct that could result contrary to the general or sectoral regulations that may be applicable.
- Others (specify): In the case of deposit contracts, they reserve the right to carry out periodic audits at the facilities of clients and other debtors.
- The international transfer of your data to the extent that it is strictly necessary to comply with your incorporation into a project in a country outside the EU. Failure to accept this clause will prevent your incorporation into the project in said country.
2) How long do we keep your data?
- The data provided will be kept as long as the relationship of legality of treatment is maintained, its deletion is not requested by the interested party after formalized written termination of the relationship with the interested party, with the exception of its conservation for the formulation, exercise or defense of claims. claims of the data controller or with a view to protecting the rights of another natural or legal person and/or for reasons of legal obligation.
- In any case, at the end of the relationship, the data of the interested party will be duly blocked, as provided for in current data protection regulations.
- Registration Book and Entry Reports for Hotel Establishments: The entry reports must be kept at the disposal of the Security Forces and Bodies, and then discarded in a manner that does not allow access to the personal information contained therein (OM INT 1922/2003, of July 3, of registration books and entry reports of travelers in hospitality establishments and other similar establishments) – 3 years
- Accounting and Tax Documentation – For Tax purposes: The accounting books and other mandatory record books according to the applicable tax regulations (IRPF, VAT, IS, etc.), as well as the documentary supports that justify the entries recorded in the books (including computer programs and files and any other supporting documentation that has fiscal significance), must be kept, at least, during the period in which the Administration has the right to verify and investigate and, consequently, to settle tax debt (Articles 66 to 70 General Tax Law ). Limitation period for Tax Crimes associated with the verification of the bases or quotas compensated or pending compensation or deductions applied or pending application and Crimes against the Public Treasury and Social Security – Art. 66 bis General Tax Law and Penal Code, respectively . - 4 years. Prescription violations 10 years.
- Accounting and Tax Documentation – For Commercial purposes: Books, correspondence, documentation and justifications concerning your business, duly ordered from the last entry made in the books, except as established by general or special provisions. This commercial obligation extends to both the mandatory books (income, expenses, investment goods and provisions as well as the documentation and supporting documents that support the entries recorded in the books (invoices issued and received, tickets, corrective invoices, bank documents, etc) (Art.30 Commercial Code) – 6 years.
- Solvency Files: Data referring to certain, overdue and demandable and unclaimed debts (Art. 20 of LOPDGDD) – as long as non-compliance persists, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation - 5 years
- The images/sounds captured by the video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be preserved to prove the commission of acts that threaten the integrity of people, property or facilities (in which case , the images will be made available to the competent authority within a maximum period of 72 hours from becoming aware of the existence of the recording), or are related to serious or very serious criminal or administrative infractions in matters of public security, with a police investigation in progress or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.
- The data included in the automated treatments created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days
- The data processed in relation to the legal guarantee will be kept during the validity of the legal guarantee and once its validity has expired, during the period in which there may be a judicial or administrative claim in relation to the legal guarantee.
- The data processed for the sending of commercial communications will be kept until you revoke the consent granted.
- The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the appropriateness of initiating an investigation into the reported events, as well as subsequently as evidence of the operation of the crime prevention model. commission of crimes by the legal entity, in accordance with the provisions of article 24 of the LOPDGDD.
- Therefore, the data will be kept as long as the relationship with the organization remains in force, based on the conservation periods established by the current regulations noted above, as well as the legal or contractual periods provided for the exercise or prescription of any action of liability for contractual breach by the interested party or the Organization (reform of the Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that counts from the date on which compliance with the obligation can be required) .
3) What is the legitimacy for the processing of your data?
- The execution of a contract: Fulfillment of offer, reservation, order and/or commercial contract for lodging, restaurant and event services.
- Comply with a legal obligation: Regulations with the rank of administrative, commercial, tax, fiscal, accounting and financial law and consumer and user defense legislation. Basic regulations governing traveler registration books.
- Satisfy a legitimate interest of the Controller: Processing of data as parts of a commercial relationship and/or contract, which are necessary for its maintenance or fulfillment, transmissions of data within business groups for internal administrative purposes, direct marketing, fraud prevention, assumptions of legitimate interest in which the controller could be an injured party and the processing and communication of the non-compliant data to third parties is necessary in order to manage regulatory compliance and the defense of the interests of the controller, video surveillance purposes as an interest legitimate interest of the organization in the protection of its assets, the legitimate interest of direct marketing enabled by the LSSICE (sending commercial communications about products or services similar to those contracted by the client with whom there is a prior contractual relationship), as well as assumptions of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Processing of contact data and individual entrepreneurs; Article 20. Credit information systems; Article 21. Treatments related to the performance of certain commercial operations (corporate restructuring or business transfers) Article 22. Treatments for video surveillance purposes; Article 23 Advertising exclusion systems; Article 24 Information systems for internal complaints).
- Fulfill the purposes of the treatment by unequivocal consent of the interested party through the acceptance of the clauses enabled in the forms and/or the established consent clauses depending on the channel through which they have contacted the company and/or through by formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship based on the commercial contact channel.
4) To which recipients can your data be communicated?
- Organizations or people directly hired by the Data Controller for the provision of services linked to the processing purposes (specify): Travel Agencies and Intermediaries, Community Manager, Subcontracted Entities for the execution of works/services that are the object of the service with the client, Management and/or Regulatory Compliance Auditors
- Financial Entities: Domiciliation of receipts and/or collection management of bills and other means of payment, due to legitimate interest associated with the collection of services provided.
- Organizations or bodies of the Public Administration with powers in the matters covered by the purposes of the treatment: AEAT
- Security Forces and Corps: Civil Guard and/or National Police, in accordance with basic regulations governing traveler registration books and to the extent that a justified right of access is required in the investigation of a regulatory breach, for legal compliance.
- Entity that processes the reservation and/or manages the payment of the invoice and the services that we have provided if you have consented. If you do not authorize this use, you must pay for the services we have provided.
- Media and specialized magazines for the Promotion of the Organization's Activities, to the extent that it consents to the recording, publication and/or reference in the organization's media and/or other public communication media, of videos, recordings and photos associated with the services we have provided as promotional material, justification of technical solvency and/or justification of events, projects and subsidies in which the organization participates.
- Compliance Complaints Channel (Complaints about violations of data protection regulations are transmitted to the “Chief Privacy Officer” located in the headquarters), for legitimate interest: Access to the data contained in these systems will be limited exclusively to those , whether or not included within the entity, carry out the functions of internal control and compliance, or those in charge of the treatment that are eventually designated for this purpose. However, it will be lawful for other people to access it, or even communicate it to third parties, when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, where appropriate, may apply.
- Others: We may carry out international transfers of your data to the extent that it is strictly necessary to comply with your incorporation into a project in a country outside the EU or due to the location of the processing systems of processing management applications.
5) Under what guarantees are your data communicated?
The communication of data to third parties is carried out to entities that certify the provision of a Personal Data Protection System in accordance with current legislation.
6) How have we obtained your data?
The interested party himself and other companies of the Business Group to which Q SENSES HOTELS SL belongs, travel agencies and intermediaries, entity that processes the reservation and/or manages the payment with which the data controller maintains a contractual relationship or provision of services. and for which you must have personal data of contact people, users and/or guests for administrative and operational management in order to manage your access to the lodging, catering and/or event service.
7) What category of data do we process?
Commercial data and contact persons for administrative and operational management associated with the execution of the contract/service; Data related to the position of contact persons for the administrative and operational management associated with the execution of the contract/service; Commercial data and contact persons for administrative and operational management associated with the execution of the contract/service; Economic, financial and/or payment conditions data; Goods and services received by the affected party, Financial transactions; Name, surname and NIF of legal representative, contact information of people in the organization involved or related to the project that is the object of the contract/service.
It does not contain specially protected data or data relating to criminal convictions and offences, except for those expressed by the interested party for the adaptation of the required service (eg reduced mobility, dietary intolerances,...).
7) How is your personal data stored securely?
In relation to the processing of your personal data, we inform you:
All necessary measures are taken to keep your personal data private and secure. Only authorized data processors or authorized hotel and activity staff (who have a legal and contractual obligation to store all information securely) have access to your personal data. All staff who have access to your personal data are required to agree to respect the Privacy Policy and data protection regulations and all employees of Third Parties who have access to your personal data are required to sign the confidentiality commitments in the terms established in current legislation. In addition, it is contractually ensured that third party companies that have access to your personal data keep it securely. To ensure that your personal data is protected, we have an IT security environment and take the necessary measures to prevent unauthorized access.
The company and group members have entered into agreements to ensure that we process your personal data correctly and in accordance with data protection law. These agreements reflect the respective roles and responsibilities in relation to you, and consider which entity is in the best position to meet your needs.
These agreements do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.
In relation to personal data that may be accessed as a result of the contracted services, we inform you:
The provision of services covered by the contract may involve physical access by company personnel to premises or facilities that may store personal data for which the client is responsible for processing. In this sense, the company has signed clauses with its staff that prohibit access to all types of confidential information and, specifically, to personal data belonging to the client, unless the service contemplates in its scope the processing of transfer, repair , destruction and/or management of computer media that could contain personal data, in which case, Q SENSES HOTELS SL would act as data processor thereof, establishing in said case the relevant contract in accordance with current data protection regulations that would contemplate among other aspects, the object, duration, nature, purpose, category of the data being processed, security measures, obligations and rights of the processor, organizational and technical security measures to guarantee confidentiality during the process, as well as the agreements adopted between client and processor in relation to the transmission of security violations and/or exercise of rights. Failure to formalize the personal data processing service in a contract by the client presupposes that Q SENSES HOTELS SL has no associated responsibility as data processor.
However, in the event that you become aware of any type of confidential information for the purpose of providing the service, you undertake to keep it secret, not to disclose or publish it, either directly or through third parties. or companies, or to make it available to third parties. This confidentiality obligation is indefinite in nature, subsisting upon termination of the contract for any reason. Q SENSES HOTELS SL undertakes to communicate and enforce the obligations established regarding confidentiality to the personnel under its charge and hired on its behalf.
ADDITIONAL INFORMATION PROCESSING OF SUPPLIER DATA:
1) For what purpose do we process the personal data you provide us?
- Internal use, Commercial and relationship management, Carrying out operations and Administrative, economic and accounting management derived from the relationship with the supplier/collaborator
- Internal use, carrying out operations and administrative, economic and accounting management derived from the relationship with the assignor (commercial and/or contractual relationship)
- Management of Contracting and provision of services of the organization, as well as compliance with contractual requirements
- Management of Response to Queries, Claims or Incidents, Requests for Information, Resources and/or Activities
- Promotion and Dissemination of the Organization: The Preparation, Publication and Communication of Statistics, Activity Reports and Information associated with the communication and transparency of its Activity, as well as the Recording and Publication of Dissemination Material, Communication and Management of Campaigns, Activities, Events , Contests and/or Recording and Publication, in the organization's media (including web and social networks) and/or other public communication media, of videos, recordings and photos associated with the activities carried out by the organization that may incorporate to people in the development of their functions «In order to provide interest groups with information about the organization»
- Sending News Bulletins, Activity Reports and Information associated with the Organization's Activity
- Quality Management of processes and activities, as well as the evaluation of the satisfaction/perception and performance results of the organization's interest groups.
- Management of the Selection, Approval and Contracting of Suppliers/Collaborators and verification of regulatory compliance
- Health and safety management (prevention of occupational risks and safety surveillance) and compliance evaluation
- Management of presentation of technical solvency in presentation of offers and/or requests, management and justification of campaigns, activities, events, contests, projects and subsidies in which the organization participates
- Schedule and/or face-to-face or attendance control and monitoring of functional performance
- Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, with access controls to facilities, information systems and printing of documentation for all data being able to be established. of a personal nature under the responsibility of the organization and therefore for all the information systems of said entity, as well as the controls related to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that could occur, as well as breaches of labor standards, crimes or illicit behavior.
- Contact Management / Agenda
- Statistical, historical or scientific purposes
- Access control and Video surveillance of the Facilities, as well as security and regulatory compliance therein, preserving the safety of people and property and facilities, as well as for the exercise of the worker control functions provided for in the article. 20.3 of the Workers' Statute, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for non-compliance with safety standards.
- The management and audit of quality, environmental management and/or occupational safety management of the organization's processes and facilities
- Associated management, including its prior communication, that could arise from the development of any structural modification operation of companies or the contribution or transfer of a business or branch of business activity, provided that the treatments were necessary for the successful completion of the operation. and guarantee, where appropriate, continuity in the provision of services.
- Inclusion in the whistleblower channel systems of the data associated with the reporting (even anonymously) of the commission within the organization or the actions of third parties that contracted with it, of acts or conduct that could result contrary to the general or sectoral regulations that may be applicable.
- Others: Reserves the right to carry out periodic audits at the facilities of suppliers and creditors
2) How long do we keep your data?
- The data provided will be kept as long as the relationship of legality of treatment is maintained, its deletion is not requested by the interested party after formalized written termination of the relationship with the interested party, with the exception of its conservation for the formulation, exercise or defense of claims. claims of the data controller or with a view to protecting the rights of another natural or legal person and/or for reasons of legal obligation.
- In any case, at the end of the relationship, the data of the interested party will be duly blocked, as provided for in current data protection regulations.
- Accounting and Tax Documentation – For Tax purposes: The accounting books and other mandatory record books according to the applicable tax regulations (IRPF, VAT, IS, etc.), as well as the documentary supports that justify the entries recorded in the books (including computer programs and files and any other supporting documentation that has fiscal significance), must be kept, at least, during the period in which the Administration has the right to verify and investigate and, consequently, to settle tax debt (Articles 66 to 70 General Tax Law ). Limitation period for Tax Crimes associated with the verification of the bases or quotas compensated or pending compensation or deductions applied or pending application and Crimes against the Public Treasury and Social Security – Art. 66 bis General Tax Law and Penal Code, respectively . - 4 years. Prescription violations 10 years.
- Accounting and Tax Documentation – For Commercial purposes: Books, correspondence, documentation and justifications concerning your business, duly ordered from the last entry made in the books, except as established by general or special provisions. This commercial obligation extends to both the mandatory books (income, expenses, investment goods and provisions as well as the documentation and supporting documents that support the entries recorded in the books (invoices issued and received, tickets, corrective invoices, bank documents, etc) (Art.30 Commercial Code) – 6 years.
- Occupational Risk Prevention Documentation – Documentation on information and training for workers. Records of occupational accidents or professional diseases (Legislative Royal Decree 5/2000, of August 4, which approves the consolidated text of the Law on Infractions and Sanctions in the Social Order) – 5 years.
- The images/sounds captured by the video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be preserved to prove the commission of acts that threaten the integrity of people, property or facilities (in which case , the images will be made available to the competent authority within a maximum period of 72 hours from becoming aware of the existence of the recording), or are related to serious or very serious criminal or administrative infractions in matters of public security, with a police investigation in progress or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.
- The data included in the automated treatments created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on automated files established for the purpose of controlling access to buildings) – 30 days
- The data processed in relation to the legal guarantee will be kept during the validity of the legal guarantee and once its validity has expired, during the period in which there may be a judicial or administrative claim in relation to the legal guarantee.
- Solvency Files: Data referring to certain, overdue and demandable and unclaimed debts (Art. 20 of LOPDGDD) – as long as non-compliance persists, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation - 5 years
- The data processed for the sending of commercial communications will be kept until you revoke the consent granted.
- The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the appropriateness of initiating an investigation into the reported events, as well as subsequently as evidence of the operation of the crime prevention model. commission of crimes by the legal entity, in accordance with the provisions of article 24 of the LOPDGDD.
- Therefore, the data will be kept as long as the commercial relationship remains in force, based on the conservation periods established by the current regulations noted above, as well as the legal or contractual periods provided for the exercise or prescription of any liability action for breach of contract by the interested party or the Organization (reform of the Civil Code establishes a period of 5 years to be able to carry out an action for civil liability, a period that counts from the date on which compliance with the obligation can be required).
2) What is the legitimacy for the processing of your data?
- The execution of a contract: Fulfillment of the offer, order and/or commercial contract.
- Comply with a legal obligation: Regulations with the rank of administrative, commercial, tax, fiscal, accounting and financial law, occupational risk prevention, social security and applicable regulations of the sector.
- Satisfy a legitimate interest of the Controller: Processing of data as parts of a commercial relationship and/or contract, which are necessary for its maintenance or compliance, transmissions of data within business groups for internal administrative purposes, fraud prevention, as well as cases of legitimate interest in which the controller could be a harmed party and the processing and communication of the defaulter's data to third parties is necessary in order to manage regulatory compliance and the defense of the interests of the controller, video surveillance purposes as a legitimate interest of the organization in the protection of its assets, as well as cases of legitimate interest in specific treatments contemplated in the LOPDGDD: Article 19. Processing of contact data and individual entrepreneurs; Article 20. Credit information systems; Article 21. Treatments related to the performance of certain commercial operations (corporate restructuring or business transfers) Article 22. Treatments for video surveillance purposes; Article 24 Information systems for internal complaints).
- The consent of the interested party that has been provided to us unequivocally through formal means and/or by checking the boxes enabled for this purpose in the data protection clauses enabled in the base document that has regulated the commercial relationship based on the contact channel. .
3) To which recipients can your data be communicated?
- Organizations or people directly hired by the Data Controller to provide services linked to the processing purposes: Hotels, Legal Advice, Management and/or Regulatory Compliance Auditors, Prevention Services, third parties to whom data is provided. subcontracted workers for access to their facilities.
- Organizations or bodies of the Public Administration with powers in the matters covered by the purposes of the treatment: AEAT
- Financial Entities: Transfer and/or management of payment instruments.
- Unions, Staff Boards/Work Committee: Workers' Representatives: Contractors or subcontractors that are established (including self-employed workers) (art.35.2 CC and art.42 ET): CIF/NIF, company name, registered office, object of the contract, Social Security registration employer number, place of execution of the contract, coordination of activities from the point of view of occupational risks, estimated duration of the contract (start and end date). Number of workers that will be employed by the contractor or subcontractor in the work center of the main company.
- Compliance Complaints Channel (Complaints about violations of data protection regulations are transmitted to the “Chief Privacy Officer” located in the headquarters), for legitimate interest: Access to the data contained in these systems will be limited exclusively to those , whether or not included within the entity, carry out the functions of internal control and compliance, or those in charge of the treatment that are eventually designated for this purpose. However, it will be lawful for other people to access it, or even communicate it to third parties, when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, where appropriate, may apply.
- Risk Prevention Delegates are authorized to access information and documentation related to the working conditions that are necessary for the exercise of their functions and, in particular, those provided for in articles 18, 23 and 36 LPRL. The Prevention Delegates will be subject to the provisions of section 2 of article 65 of the Workers' Statute regarding professional confidentiality regarding the information to which they have access as a result of their actions in the company. (Article 37.3 LPRL).
- Occupational Risk Prevention Services: the treatment by the occupational risk prevention services of the medical history, as a result of the medical examinations carried out on workers, must be limited to the provisions of article 22.4 of the LPRL. In this sense, access to medical information obtained under the provisions of the LPRL by the employer or any third party is prohibited, including persons or bodies with responsibilities in matters of prevention, other than “medical personnel and the authorities.” health authorities that carry out monitoring of the health of workers”, with the sole exception of the conclusions derived from said monitoring regarding the fitness of workers to perform the job.
4) Under what guarantees are your data communicated?
The communication of data to third parties is carried out to entities that certify the provision of a Personal Data Protection System in accordance with current legislation.
5) How have we obtained your data?
- The interested party himself or his legal representative
- Q SENSES HOTELS SL, as well as the entity with which the data controller maintains a contractual relationship or provision of services and for which it must have personal data of contact persons for administrative and operational management in order to manage its access, incorporation into the object project/service and/or verification of regulatory compliance under the responsibility of the organization (eg, data related to workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks).
6) What category of data do we process?
Commercial data, contact persons for administrative and operational management associated with the execution of the contract/project and workers who will carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks; As a consequence of the provision of resumes of the supplier's personnel involved in the provision of the service/work, in order to accredit technical solvency in offers; In the case of workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks (The data that could arise from possible incidents or accidents at work of subcontractor workers would be incorporated into the treatment "Prevention of Occupational hazards"); Licenses or approvals, in the case of workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks; Professional details and employment details as a result of the contribution of resumes of the supplier's personnel involved in the provision of the service/work, in order to accredit technical solvency in offers; Commercial information and approval data; Economic, financial and/or collection conditions data; Goods and services supplied by the affected party, Financial transactions; Other types of data: Name, surname and NIF of legal representative, contact information of people in the organization involved or related to the project that is the subject of the contract/order.
The data structure that we process does not contain data related to criminal convictions and infractions, nor sensitive data, except in cases in which the owner has special conditions and must provide documentation that incorporates said information so that it can be accredited or justified compliance with said condition.
7) How is your personal data stored securely?
Q SENSES HOTELS SL takes all necessary measures to keep your personal data private and secure. Only authorized persons, authorized personnel of Third Parties or authorized personnel of our companies (who have a legal and contractual obligation to store all information securely) have access to your personal data. All staff who have access to your personal data are required to agree to respect the Privacy Policy and data protection regulations and all employees of Third Parties who have access to your personal data are required to sign the confidentiality commitments in the terms established in current legislation. In addition, it is contractually ensured that third party companies that have access to your personal data keep it securely. To ensure that your personal data is protected, as it has an IT security environment and takes the necessary measures to prevent unauthorized access. Group companies have entered into agreements to ensure that we process your personal data correctly and in accordance with data protection law. These agreements reflect the respective roles and responsibilities in relation to you, and consider which entity is in the best position to meet your needs. These agreements between group companies do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.
8) CONFIDENTIALITY AND INFORMATION TO THIRD PARTIES FROM WHOM YOU PROVIDE DATA TO US
In compliance with the provisions of the personal data protection regulations, we process the information you provide us (as well as the personal data of contact persons for administrative and operational management in order to manage their access, incorporation into the object project/service). of the contracted service and/or verification of regulatory compliance under the responsibility of the organization, personal data of the legal representatives of the entity and/or of the people involved in the project (curriculum vitae) and/or personal references of previous work in order to prove technical solvency and, where applicable, personal data related to workers who are going to carry out the contracted work in terms of coordination of business activities associated with the prevention of occupational risks) in accordance with the provisions of the clause and additional information on data protection .
With the acceptance and/or validation of the process that serves as the basis for the formalization of your relationship with Q SENSES HOTELS SL, you expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection, as well as informing and have the consent of third parties who provide us with personal data for said processing. Likewise, and to the extent that as a consequence of your relationship you may access personal data and/or confidential information, you are obliged to maintain absolute confidentiality and discretion regarding the information obtained about the activities, interested parties and entities related to Q SENSES HOTELS. SL or the group companies, especially with regard to Personal Data, even after the end of your relationship with the organization.
As stated above, you undertake to inform in your name and in an express, precise and unequivocal manner the owners of the data of whom you transfer information to the company - within the month following the moment of communication of the data to Q SENSES HOTELS SL, of the following aspects “Your personal data will be communicated to the Data Controller Q SENSES HOTELS SL–protecciondatos@grupoq.net. Said communication of data and their processing is carried out in compliance with current legislation on contractual, labor, occupational risk prevention and social security matters, with the purpose of informing, verifying and controlling compliance with the applicable legislation in relationship with the personnel designated by the supplier/collaborator for the execution of the contracted service and the maintenance of business relationship histories. Said treatment is mandatory in accordance with current legislation. Refusal to provide the data may result in the termination of the contract. Likewise, the interested party is informed that, in accordance with current legislation, they must communicate the information and data contained in the contracting process to organizations and third parties to whom, by virtue of current regulations, they have the obligation to communicate the data. Rights: The interested party may access, rectify and delete the data, as well as limit, withdraw or oppose the processing in accordance with the procedures established in our privacy policy. If you consider that the exercise of your rights has not been fully satisfactory, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid. Origin: The data we process comes from the entity with which the data controller maintains a contractual relationship or provision of services and for which it must have personal data of contact persons for administrative and operational management in order to manage their access, incorporation into the object project/service and/or verification of regulatory compliance under the responsibility of the organization (eg, data related to workers who are going to carry out the contracted work in terms of coordination of business activities and prevention of occupational risks). The Data Structure that we process does not contain sensitive data, except in cases in which the owner is a beneficiary of special conditions and must provide records that allow proving or justifying compliance with said condition. You can consult our Privacy Policy on the corporate website”
ADDITIONAL INFORMATION PROCESSING OF VIDEO SURVEILLANCE DATA AND ACCESS RECORDING:
1) For what purpose do we process the personal data you provide us?
- Access/Visit Control and Video Surveillance of the Facilities, as well as security and regulatory compliance therein, preserving the safety of people and property and facilities, as well as for the exercise of the worker control functions provided for in Article 20.3 of the Workers' Statute, the investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for non-compliance with safety standards, through the video surveillance system.
- Verify compliance by workers with their work obligations and duties in accordance with article 20.3 of the Workers' Statute, which authorizes the employer to adopt surveillance and control measures for this purpose (controls related to the use of images captured by video surveillance systems to the investigation of accidents and/or incidents that may occur, as well as breaches of labor standards, crimes or illicit behavior).
- Health and safety management (prevention of occupational risks and safety surveillance) and compliance evaluation
- Schedule and/or face-to-face or attendance control and monitoring of functional performance
- Regulatory Compliance Management (applicable regulations as well as mandatory internal regulations): Investigation, monitoring and auditing of controls established for the prevention of crimes, with access controls to facilities, information systems and printing of documentation for all data being able to be established. of a personal nature under the responsibility of the organization and therefore for all the information systems of said entity, as well as the controls related to the use of images captured by video surveillance systems for the investigation of accidents and/or incidents that could occur, as well as breaches of labor standards, crimes or illicit behavior.
- Registration of Access/Visits and Video Surveillance of the Facilities, as well as security and regulatory compliance therein, investigation of possible incidents or accidents, management of associated insurance and management of warnings or sanctions for non-compliance with safety regulations.
- Others (specify): the investigation of possible incidents or accidents at work, management of associated insurance, as well as for the investigation of incidents and confirmation of compliance with the security and personal data protection standards established in the data protection systems and management systems implemented for all personal data under the responsibility of the organization and therefore for all information systems of said entity, as well as controls related to the use of images captured by video surveillance systems for investigation. of accidents and/or incidents that may occur, as well as breaches of labor standards, crimes or illicit behavior.
- Temporary control of body temperature to be able to access the entity for the following purposes (detect possible infected people and prevent their access to a certain place and their contact within it with other people):
- Protect the health and lives of the people who are in this work center.
- Contribute to the containment of the pandemic.
- Comply with occupational risk prevention regulations.
- Verify workers' compliance with the obligation to go to the workplace without fever.
- Inclusion in the whistleblower channel systems of the data associated with the reporting (even anonymously) of the commission within the organization or the actions of third parties that contracted with it, of acts or conduct that could result contrary to the general or sectoral regulations that may be applicable.
2) How long do we keep the data provided?
- The images/sounds captured by the video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be preserved to prove the commission of acts that threaten the integrity of people, property or facilities (in which case , the images will be made available to the competent authority within a maximum period of 72 hours from becoming aware of the existence of the recording), or are related to serious or very serious criminal or administrative infractions in matters of public security, with a police investigation in progress or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art.22 LOPDGDD) – 30 days.
- The data included in the automated files created to control access to buildings (Instruction 1/1996, of March 1, of the AEPD, on Automated Files established for the purpose of controlling access to buildings) – 30 days
- The data of the person who makes the communication of a complaint and of the employees and third parties are kept in the complaints system to decide on the appropriateness of initiating an investigation into the reported events, as well as subsequently as evidence of the operation of the crime prevention model. commission of crimes by the legal entity, in accordance with the provisions of article 24 of the LOPDGDD.
- The entity has established the conservation period for temperature control data as the period necessary to face possible legal actions derived from the decision to deny access.
3) What is the legitimacy for the processing of your data?
- The legal basis for the processing of your data is to satisfy a legitimate interest of the Controller:
- Security and cases of legitimate interest in which the controller could be an injured party and the processing and communication of the non-compliant data to third parties is necessary in order to manage regulatory compliance and the defense of the interests of the controller, as well as assumptions of legitimate interest of specific treatments contemplated in the LOPDGDD: Article 19. Processing of contact data and individual entrepreneurs; Article 22. Treatments for video surveillance purposes; Article 24 Information systems for internal complaints).
- 20.3 and 4 Royal Legislative Decree 1/1995, of March 24, which approves the consolidated text of the Law on the Statute of Workers (ET): The employer may adopt the measures he deems most appropriate for surveillance and control to verify compliance by the worker with his or her work obligations and duties, maintaining in their adoption and application due consideration of their human dignity and taking into account the real capacity of disabled workers, if applicable.
- The employer may verify the state of illness or accident of the worker that is alleged by him to justify his lack of attendance at work, through examination by medical personnel. The worker's refusal to accept such recognition may determine the suspension of any economic rights that may exist under the responsibility of the employer due to such situations.
- (*) Ruling of the Constitutional Court 39/2016, of March 3 (LAW. 218/2016), arguing that this power of control is legitimized by art. 20.3 of the ET, which expressly authorizes the employer to adopt surveillance and control measures to verify compliance by workers with their labor obligations. This general power of control provided for in the law legitimizes business control of workers' compliance with their professional tasks and the workers' consent for such purposes is implicit in the conclusion of the employment contract. The legitimation of this purpose is fulfilled with the existence of several signs displayed by the organization in the facilities that announce the presence of installation of cameras and image capture and with explicit information, preferably in writing, consisting of that they will be to record, with the sole objective of controlling compliance with work obligations and that they may be sanctioned based on the recorded images in the event of proven non-compliance. In the same sense, STS 77/2017 of January 31, 2017.
- AEPD Video Surveillance Guide: Article 20.3 of the Workers' Statute empowers the employer to adopt the surveillance and control measures that it deems most appropriate to verify compliance by the worker with his or her work obligations and duties, maintaining due consideration in their adoption and application. to their human dignity and taking into account the real capacity of disabled workers, where applicable. These measures may include the capture and/or processing of images without consent. However, such practices are fully subject to the LOPD and Instruction 1/2006 and must comply with specific requirements.
- As the legal basis for the treatment associated with temperature control, compliance with the legal obligation to guarantee the safety and health of workers is specified. This legal basis is specified in this case in the following regulations:
- Status of workers.
- Law 21/1995 on Occupational Risk Prevention.
- Royal Decree 664/1997 on the protection of workers against risks related to exposure to biological agents during work*
- Action procedure for occupational risk prevention services against exposure to SARS-CoV-2
- Guidelines for good practices in the industrial sector in relation to Covid-19 (National Institute for Safety and Health at Work).
- Guidelines adopted by the entity's ORP service for legal authorization and delegation of preventive functions.
4) To which recipients can your data be communicated?
- Organizations or people directly hired by the Data Controller to provide services linked to the processing purposes (specify): Contracted security company
- Insurance Entities (specify): In the event of a claim, incident or accident, it is provided to insurance entities to investigate the event in order to delimit the scope and coverage of the insurance premium contracted by the data controller.
- Security Forces and Corps (specify): To the extent that a justified right of access is required in the investigation of a regulatory breach.
- The owner of the establishment, out of legitimate interest in the protection of the assets under his ownership
- Judges and Courts, as well as Security Forces and Bodies: To the extent that a justified right of access is required in the investigation of a regulatory breach.
- In the case of temperatures above the health threshold, access to the person will not be allowed and they will be entrusted to primary care services (in the case of external ones) or to the health surveillance service (in the case of internal ones). so that, in accordance with the protocol, the diagnostic tests and other communications established in accordance with the pandemic control protocol are carried out.
- Compliance Complaints Channel (Complaints about violations of data protection regulations are transmitted to the “Chief Privacy Officer” located in the headquarters), for legitimate interest: Access to the data contained in these systems will be limited exclusively to those , whether or not included within the entity, carry out the functions of internal control and compliance, or those in charge of the treatment that are eventually designated for this purpose. However, it will be lawful for other people to access it, or even communicate it to third parties, when it is necessary for the adoption of disciplinary measures or for the processing of judicial procedures that, where appropriate, may apply.
5) Under what guarantees are your data communicated?
The communication of data to third parties is carried out to entities that certify the provision of a Personal Data Protection System in accordance with current legislation.
6) What claim methods exist?
If you consider that the exercise of your rights has not been fully satisfactory, you may file a claim with the national control authority by contacting the Spanish Data Protection Agency, C/ Jorge Juan, 6 – 28001 Madrid.
7) What category of data do we process?
Image and identification and professional data, as well as reasons for your visit and/or person to visit, time of access and exit from the facility
Likewise, temperature control data may be available to the extent that temporary temperature controls are carried out for access to the facilities for the purposes of pandemic avoidance control, according to the COVID Data Processing Protocol that may be established. in terms of guaranteeing the job security of the people in the organization.
8) How is your personal data stored securely?
All necessary measures are taken to keep your personal data private and secure and will in any case comply with the provisions of Law 5/2014, of April 4, on Private Security and its implementing provisions. In this sense, it establishes and informs you of the following security measures:
- DUTY OF INFORMATION: Information is given about the existence of the cameras and image recording, in order to comply with the duty of information provided for in article 12 of the RGPD through an information device in a sufficiently visible place identifying the existence of the treatment, the identity of the person responsible and the possibility of exercising the rights provided for in articles 15 to 22 of the RGPD. A connection code or internet address to this information may also be included in the information device. In any case, the information referred to in the aforementioned regulation in this Privacy Policy referenced in the aforementioned device is kept available to those affected. In the event that the flagrant commission of an illegal act has been caught, the duty to inform will be deemed fulfilled when at least the video surveillance information device exists.
- LOCATION OF THE CAMERAS: It will only capture images of public roads to the extent that it is essential for the purpose of preserving security. In no case are sound recording or video surveillance systems installed in places intended for rest or recreation of workers or public employees, such as locker rooms, toilets, dining rooms and similar.
- SOUND RECORDING: Sound recording will only be carried out when the risks to the safety of the facilities, goods and people derived from the activity carried out in the work center are relevant and always respecting the principle of proportionality, the principle of intervention. minimum and guarantees.
- LOCATION OF MONITORS: The monitors where the images from the cameras are displayed are located in a restricted access space so that they are not accessible to unauthorized third parties.
- CONSERVATION: The images/sounds captured by video surveillance systems will be deleted within a maximum period of one month from their capture, except when they have to be preserved to prove the commission of acts that threaten the integrity of people, property or facilities (in which case, the images will be made available to the competent authority within a maximum period of 72 hours from when the existence of the recording became known), or are related to serious or very serious criminal or administrative infractions in matters of public security. , with a police investigation in progress or with an open judicial or administrative procedure (Instruction 1/2006, of November 8, of the AEPD, on the processing of personal data for surveillance purposes through camera or video camera systems and Art .22 LOPDGDD) – 30 days.
- LABOR CONTROL: The processing is carried out for the exercise of the worker control functions provided for in article 20.3 of the Workers' Statute, within its legal framework and with the limits inherent therein. To the extent that the cameras can be used for the purpose of labor control as provided for in article 20.3 of the Workers' Statute, workers and their representatives are informed about the present control measures established by the employer with indication expresses the purpose of labor control of the images captured by the cameras, as indicated in the inclusion notification clause and in this privacy policy.
- RIGHT OF ACCESS TO IMAGES: To comply with the right of access of the interested parties, a recent photograph and the National Identity Document of the interested party will be requested, as well as the details of the date and time to which the right of access refers. The interested party will not be provided direct access to the images from the cameras in which third party images are shown. To avoid affecting the rights of third parties, in the case of an access request, we will proceed to issue a certificate in which, with the greatest possible precision and without affecting the rights of third parties, the data that has been processed are specified. Ex. “Your image was registered in our systems on the ___ day of the month of the year between _ hours and _ hours. Specifically, the system records your access to and exit from the facility.
Q SENSES HOTELS SL has formalized agreements to guarantee that we process your personal data correctly and in accordance with current data protection regulations. These agreements reflect the respective roles and responsibilities in relation to you, and consider which entity is in the best position to meet your needs. These agreements do not affect your rights under data protection law. For more information about these agreements, please do not hesitate to contact us.
The Data Controller takes all necessary measures to keep your personal data private and secure. Only authorized persons, authorized personnel of third parties directly hired by the Data Controller for the provision of services linked to the purposes of treatment or authorized personnel of companies that operate under the commercial name of Q SENSES HOTELS SL (which have the legal and contractual obligation to store all information securely) have access to your personal data. All Q SENSES HOTELS SL staff who have access to your personal data are required to agree to respect the Privacy Policy of the Data Controller and the data protection regulations and all employees of Third Parties who have access to your data. personnel who sign the confidentiality commitments in the terms established in current legislation. In addition, it is contractually ensured that third party companies that have access to your personal data keep it securely. To ensure that your personal data is protected, we have an IT security environment and take the necessary measures to prevent unauthorized access.
9) CHANGES IN PRIVACY POLICY
Q SENSES HOTELS SL reserves the right to make, at any time, any modifications, variations, deletions or cancellations in the contents and in the form of presentation thereof that it deems appropriate, so we recommend that you always consult our privacy policy. who considers it pertinent. If you do not agree with any of the changes, you can exercise your rights in accordance with the procedure described by sending an email to protecciondatos@grupoq.net
In compliance with the provisions of the personal data protection regulations, we process the information that you provide to us (as well as the personal data of other people that you may provide to us) for the purposes specified in this privacy policy. In this sense, you declare that you have been informed, consent, as well as inform and have the consent of third parties who provide us with personal data for said processing.
By accessing the facilities subject to video surveillance, you expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection, as well as informing and having the consent of third parties who provide us with personal data for the processing of access log.
Likewise, with the acceptance and/or validation of the process, you declare that you are over 14 years of age and have legal capacity** and expressly consent to the processing of data in accordance with the provisions of the clause and additional information on data protection. If you have checked the relevant consent box, the legal basis for such purposes is your consent, which you may withdraw at any time.
(**) In cases in which you represent a minor under 14 years of age or a person with legal incapacity, you responsibly declare that you have parental authority or guardianship of the minor or the corresponding legal representation, the justification of which may be required by the party. of the Data Controller in order to legitimize the accepted consent.
RECTIFICATION FORMS BY HOTEL