Last updated: 28 May 2018
A. GENERAL PART
1.1. COLLECTION AND PROCESSING OF USER DATA
Within the scope of the website hosted at www.barradasdaserra.pt ("Site"), the conclusion of any contract (i.e. hotel services, vouchers, services or agricultural products), the provision of information, content, including the newsletter, or any telephone contact to its users ("User") and other entities related to it, Herdade das Barradas da Serra, a limited liability company based at Rua Dr. Manuel Reis, nº 4, 7570 - 284 Grândola, registered at the Conservatório de Registro Civil/Predial/Comercial de Grândola under the unique registry and legal entity nº 507724909 (hereinafter "HBS") may request the User to provide personal data, that is, information provided by the User that will allow HBS to identify and/or contact him/her (hereinafter "Personal Data").
As a general rule, Personal Data are requested when the User makes a reservation on the Site, requests a contact and/or sends newsletters, provides or requests information, acquires a product or establishes a contractual relationship with HBS.
The Personal Data collected and processed consists essentially of information relating to name, gender, date of birth, telephone, mobile phone, e-mail, address, tax identification number, credit card details (collected for billing purposes only), although other Personal Data may be collected that may be necessary or convenient for the provision or billing of services by HBS.
After the collection of the Personal Data, HBS provides the User with detailed information on the nature of the data collected and on the purpose and treatment that will be given to such data, as well as the information mentioned in clause 8.
HBS also collects and handles information about the device characteristics of its hardware and browser/software features, as well as information about the pages visited by the User within the Site. This information, which is completely anonymous, may include the type of browser, domain name, access times and links through which you have accessed the Site ("Usage Information"). We use this information only to improve the quality of your visit to our site.
1.2. SUBCONTRACTED ENTITIES
These subcontractors may not transmit User Data to other entities without the prior written permission of HBS.
HBS undertakes to subcontract only to those entities that offer maximum security in the execution of the technical and organizational measures appropriate to guarantee the defense of the User's rights. All entities subcontracted by HBS are bound to HBS by a written contract regulating the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects, their retention periods and the rights and obligations of the parties.
After the collection of the personal data, HBS provides the User with information on the subcontractors who, in the specific case, may carry out the processing of the data on behalf of HBS.
1.3. DATA COLLECTION CHANNELS
HBS may collect data directly (i.e., directly from the user) or indirectly (i.e., through partner entities or third parties). The collection can be done through the following channels:
Direct Collection: In person, by telephone, by e-mail and through the Site;
Indirect collection: through partners or group companies and official entities.
2. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
With regard to the general principles relating to the processing of personal data, HBS undertakes to ensure that the user data it processes are
- Processed in accordance with the law, fair and transparent to the User;
- Collected for specific, objective and legitimate purposes, and not further processed in a manner contrary to those purposes;
- Adequate, justified and limited to what is necessary in relation to the purposes for which they are treated
- Accurate and up-to-date where necessary, with all necessary steps being taken to ensure that data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of the user for no longer than is necessary for the purposes for which the data are processed;
- Processed in a way that ensures its security, including protection against unauthorised or unlawful processing and against loss, destruction or unexpected damage, by taking appropriate technical or organisational measures
Data processing carried out by HBS is permitted and legal when at least one of the following situations occurs:
- The user has given his free, explicit, unequivocal and informed consent to the processing of the user's data for one or more specific purposes;
- Processing is necessary for the conclusion of a contract to which the user is a party, or for pre-contractual procedures at the request of the user;
- Processing is necessary for the fulfilment of a legal obligation to which HBS is subject;
- processing is necessary for the defence of your or another person's essential interests;
- processing is necessary for the purposes of legal interests pursued by HBS or by third parties (unless the interests or fundamental rights and freedoms of the user requiring the protection of personal data prevail).
HBS undertakes to ensure that user data are processed only under the above-mentioned conditions and in accordance with the above-mentioned principles.
Where the processing of the user's data is carried out by HBS on the basis of the user's consent, the user has the right to withdraw such consent at any time. The withdrawal of consent, however, does not compromise the legality of the processing carried out by HBS on the basis of the consent previously given by the User.
The period of time during which data are stored and saved varies according to the purpose for which the information is processed and will be duly communicated to the User.
In fact, there are legal requirements that the data must be kept for a minimum period of time. Therefore, and where there is no specific legal obligation, the data will be stored and kept only for the minimum period necessary for the purposes for which they were collected or further processed within a maximum period of six months, which will be deleted upon its expiry.
3. USE AND PURPOSES OF USER DATA PROCESSING
In general terms, HBS uses user data for the following purposes:
- Provision of hotel services, associated services (restaurants, bars, etc.) and agro-forestry services;
- Management of user contacts;
- Invoicing and charging the user;
- To inform the User, who has requested it, and give his consent, of the new products and services available in the Site and/or in person, special offers and campaigns, updated information on HBS' activity and, in general, for HBS' marketing purposes, through any means of communication, including electronic support;
- To ensure that the Site meets the needs of the user, by developing and publishing content as appropriate to the requests and type of user, and by improving the search capabilities and functionality of the Site.
User data collected by HBS is not shared with third parties without the consent of the user, with the exception of the situations mentioned in the following paragraph. However, should the user contract services from HBS that are provided by other entities responsible for the processing of personal data, these entities may consult or access the user's data, to the extent necessary for the provision of such services.
In accordance with the applicable legal terms, HBS may transmit or communicate the User's Data to other entities in the event that such transmission or communication is necessary for the execution of the contract established between the User and HBS, or for pre-contractual actions at the request of the User, in the event that it is necessary for the fulfillment of a legal obligation to which HBS is subject, or in the event that it is necessary to obtain the legitimate interests of HBS or a third party.
4. TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES APPLIED
To ensure the security of user data and maximum confidentiality, HBS treats the information you provide to us in absolute confidence, in accordance with its internal security and confidentiality policies and procedures, which are updated periodically as required, and the legally stipulated terms and conditions.
Depending on the nature, scope, context and purposes of the processing of the data, as well as the risks arising from such processing to the rights and freedoms of the user, HBS undertakes to apply, both in defining the means of processing and at the time of processing itself, the necessary and appropriate technical and organizational measures for the protection of the user's data and for compliance with legal requirements.
It also undertakes to ensure that, by default, only the data necessary for each specific processing purpose are processed and that these data are not made available to an undetermined number of persons without human intervention.
5. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
Personal data collected and used by HBS is not made available to third parties outside the European Union. Should such a transfer take place in the future for the reasons mentioned above, HBS undertakes to ensure that the transfer complies with the applicable legal provisions, in particular with regard to determining the adequacy of that country in terms of data protection and the requirements applicable to such transfers.
B. USER RIGHTS (DATA OWNERS)
7. RIGHT TO INFORMATION
7.1 Information provided to the user by HBS (when data is collected directly from the user):
- The identity and contact details of HBS, the controller and, if applicable, his representative;
- The purposes of the processing for which the personal data are intended and, where applicable, the legal grounds for the processing;
- if the data processing is based on legitimate interests of HBS or a third party, an indication of such interests;
- where appropriate, the recipients or categories of recipients of the personal data;
- If applicable, an indication of whether the personal data will be transferred to a third country or to an international organisation, and whether there is a finding of adequacy adopted by the Commission or a reference to appropriate or adequate safeguards for the transfer;
- the period of storage of the personal data;
- the right to request authorisation for the personal data, as well as their correction, erasure or limitation, the right to object to the processing and the right to have the data made available;
- If the processing of the data is based on the user's consent, the right to withdraw the data at any time without compromising the legality of the processing carried out on the basis of the previously given consent;
- The right to file a complaint with the Police or other supervisory authority;
- An indication of whether or not the communication of personal data constitutes a legal or contractual obligation or a requirement for the conclusion of a contract, as well as whether or not the data subject is obliged to provide the personal data and the possible consequences of not providing it;
- where appropriate, the existence of automated decisions, including profiling, and information regarding the basic concept, as well as the scale and expected consequences of such processing for the data subject.
In case the user's data are not collected directly by HBS from the user, in addition to the information mentioned above, the user is informed about the categories of personal data being processed, as well as about the origin of the data and possibly whether they come from publicly accessible sources.
If HBS intends to further process the user's data for a purpose other than that for which the data were collected, HBS will provide the user with information about this purpose and any other relevant information prior to such processing, as mentioned above.
7.2 Procedures and measures applied to comply with the right to information.
The information referred to in section 7.1. is provided in writing (including by electronic means) by HBS to the user prior to processing the personal data in question. In accordance with the applicable legislation, HBS is not obliged to provide the user with the information mentioned in 7.1. when and to the extent that the user is already aware of it.
The information is provided by HBS free of charge.
8. RIGHT OF ACCESS TO PERSONAL DATA
HBS guarantees the means for the user to consult his personal data.
The user has the right to obtain confirmation from HBS whether or not personal data concerning him are being processed and, if so, the right to access his personal data and the following information:
- The purposes of the data processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients established in third countries or belonging to international organisations;
- the period of storage of the personal data;
- The right to request HBS to correct, delete or limit the processing of the personal data, or the right to prevent such processing;
- The right to file a complaint with the Police or other supervisory authority;
- If the data has not been collected from the user, the information available on the origin of such data;
- the existence of automated decisions, including profiling, and information concerning the logic behind them, as well as the significance and expected consequences of such processing for the data subject;
- the right to be informed of the appropriate safeguards associated with the transfer of data to third countries or international organisations.
Upon request, HBS will provide the user with a copy of the user data being processed free of charge. The provision of further copies requested by the user may entail administrative costs.
9. RIGHT TO CORRECT PERSONAL DATA
The user has the right to request, at any time, the rectification of his personal data, as well as the right to have his incomplete personal data completed, including by means of an additional declaration.
In the event of a correction of the data, HBS shall inform each recipient to whom the data have been transmitted of the correction, unless such communication is deemed impossible or would involve a disproportionate effort on the part of HBS.
10. RIGHT TO THE DELETION OF PERSONAL DATA ("RIGHT TO FORGET")
The user has the right to have his or her data deleted by HBS if one of the following reasons is given:
- The user data is no longer required for the purpose for which it was collected or processed;
- the user withdraws the consent on the basis of which the data were processed and there is no other legal basis for such processing;
- the user objects to the processing on the basis of the right to object and there are no higher legitimate interests justifying the processing;
- if the user's data are processed unlawfully;
- if the user data have to be deleted in order to comply with a legal obligation to which HBS is subject;
- HBS has no obligation to delete user data insofar as the processing is necessary for the fulfilment of a legal obligation to which HBS is subject or in order to assert, exercise or defend a right of HBS in legal proceedings.
In the event of deletion of data, HBS shall inform each recipient/entity to whom the data have been transmitted of their deletion, unless such communication proves impossible or involves a disproportionate effort on the part of HBS.
Where HBS has made the User Data public and is obliged to delete the data by virtue of the right to such deletion, HBS undertakes to ensure that reasonable steps are taken, including technical measures, taking into account available technology and the costs of their implementation, to inform those responsible for the actual processing of the personal data that the User has requested that links to such personal data, as well as copies or reproductions thereof, be deleted.
11. RIGHT TO LIMIT THE PROCESSING OF PERSONAL DATA
The user has the right to obtain from HBS the limitation of the processing of the user data if one of the following situations occurs (the limitation consists of inserting a mark in the stored personal data in order to limit their processing in the future):
- If you dispute the accuracy of the personal data for a period of time that allows HBS to verify its accuracy
- If the processing is illegal and the user objects to the deletion of the data, he must, in return, request that the use of the data be limited;
- if HBS no longer needs the user's data for processing, but the user needs them for the declaration, exercise or defence of a right in legal proceedings;
- if the user has opposed processing until it is established that HBS's legitimate reasons take precedence over the user's.
Where user data are subject to limitation, they may only be processed, with the exception of storage, with the consent of the user or for the purpose of asserting, exercising or defending a right in legal proceedings, to defend the rights of another natural or legal person, or for legally prescribed reasons of public interest.
The user who has obtained the limitation of processing of his data in the above cases shall be informed by HBS before the limitation of processing is lifted.
In the event of a restriction to the processing of data, HBS shall inform each recipient to whom the data have been transmitted of the respective restriction, unless such communication proves impossible or involves a disproportionate effort for HBS.
12. RIGHT TO THE TRANSFER OF PERSONAL DATA
The user has the right to receive the personal data concerning him/her that he/she has provided to HBS, in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller, if he/she so wishes:
- processing is based on consent or on a contract to which the user is a party; and
- processing is carried out by automated means.
- The right of portability does not include inferred or derived data, i.e. personal data that are generated in the HBS as a consequence or result of the analysis of the data being processed.
The user has the right to have his or her personal data transferred directly between the data controllers, where this is technically possible.
13. RIGHT TO OBJECT TO PROCESSING
The user has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, on the basis of the exercise of legitimate interests pursued by HBS or when the processing is carried out for purposes other than those for which the personal data were collected, including the definition of profiles, or when the personal data are processed for statistical purposes.
HBS will terminate the processing of User Data, unless it presents urgent and legitimate reasons for such processing which prevail over the interests, rights and freedoms of the User, or for the purpose of declaring, exercising or defending a right of HBS in legal proceedings.
Where User data are processed for direct marketing purposes, the User has the right to object at any time to the processing of data concerning him/her for such marketing purposes, including the definition of profiles insofar as it relates to direct marketing. If the user objects to the processing of his or her data for direct marketing purposes, HBS shall cease processing the data for this purpose.
The user also has the right not to be subject to any decision taken solely on the basis of automated processing, including profiling, which produces effects in his legal sphere or significantly affects him in a similar way, unless the decision
- is necessary for the conclusion or performance of a contract between the user and HBS;
- is authorised by the legislation to which HBS is subject; or
- is based on the explicit consent of the user.
14. PROCEDURES FOR THE EXERCISE OF THE USER'S RIGHTS
The right of access, the right of rectification, the right of deletion, the right of limitation, the right of portability and the right of opposition may be exercised by the User by contacting HBS at firstname.lastname@example.org.
HBS shall respond in writing (including by electronic means) to the User's request within a maximum period of one month from receipt of the request, except in cases of particular complexity where this period may be extended to two months.
If the user's requests are manifestly unjustified or excessive, in particular on account of their repetitive nature, HBS reserves the right to charge administrative costs.
15. VIOLATIONS OF PERSONAL DATA
In the event of a data breach and insofar as such breach may pose a high risk to the rights and freedoms of the user, HBS undertakes to report the personal data breach to the user in question within 72 hours of knowledge of the incident.
In legal terms, communication to the user is not necessary in the following cases:
- If HBS has implemented appropriate protection measures, both technical and organizational, and these measures have been applied to the personal data affected by the personal data breach, especially measures that make the personal data incomprehensible to any person not authorized to access such data, such as encryption;
- if HBS has taken subsequent steps to ensure that the high risk to your rights and freedoms is no longer likely to materialize; or In this case, HBS will make a public communication or take a similar action through which the user will be informed.
C. FINAL PART
17. APPLICABLE LAW AND JURISDICTION