A. GENERAL PART
1.1. COLLECTION AND PROCESSING OF USER DATA
Within the scope of the availability of the Site hosted in www.pestanatroia.com (hereafter referred to as “Site”), , the provision of information, content, including brochures, (collectively the “Services”) to its users (“User”), Pestana Management – Serviços de Gestão S.A., with its registered head office at Rua Jau, no. 54, 1300 – 314 Lisboa, under the corporate taxpayer number no. 511230397 (hereinafter referred to as “Pestana”) may request the user to make available personal data, information provided by the user that allow Pestana to identify and / or contact you (“Personal Information”).
As a rule, Personal Data is requested when the User requests a contact and / or sending of brochures..
Personal Data collected and processed consists of information regarding the name, telephone ,email and Country, although it may come to collect other Personal Data that may be necessary or convenient for the provision of Services by Pestana.
When collecting Personal Data, Pestana provides the User with detailed information about the nature of the data collected and about the purpose and processing that will be performed with respect to the Personal Data, as well as the information mentioned in clause 7.
Pestana also collects and handles information about your hardware and software, as well as information about the pages visited by the User within the Site. This information may include: your browser type, domain name, access times and links through which the User has accessed the Site (“Usability Information”). We use this information only to improve the quality of your visit to our Site.
1.2. PERSONAL DATA TRANSFER TO THE THIRD PARTIES
I) Data communication to the processors
These subcontracted entities may not transmit the User Data to other entities without Pestana Group having given prior written authorization to do so, and are also prevented from contracting other entities without Pestana Group’s prior authorization.
Pestana Group undertakes to only subcontract to entities that offer the maximum security in the implementation of the appropriate technical and organizational measures, in order to guarantee the defense of the User’s rights. All entities sub-contracted by Pestana Group shall be bound by Pestana Group by means of a written agreement which covers: the object and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties and other obligations provided by the article 28 of GDPR.
In accordance with information duty to which Pestana Group is bound, we are listing below the processors categories to which the personal data of the Pestana Group website users and guests is communicated:
|Processors Categories||Processing of Personal Data Purposes|
|Licensing, maintenance, support and technical software and systems technical support||Management / maintenance / systems and software support to the Pestana Group’s activity|
|Payment service processing, EDI and electronic billing services, accounting, tax and administrative management companies and business support software||Economic and accounting management of the invoicing of the guests, suppliers and service providers|
|Commercial Promoters||Promotion / Sale of Pestana Group services|
|Direct marketing support companies / digital marketing partners||E-mail marketing sending assistance, performances’ analysis and disclosure of publicity|
|Security companies and preventive and corrective maintenance of security systems companies||Video surveillance for the security of people and property|
II) Data communication of other recipients
Pestana Group can further communicate to other third parties not qualified as processors pursuant to the article 4 (8) of the GDPR. This entities are subject to confidentiality and may not transmit the User’s and guests’ Data to other entities without prior written authorization of Pestana Group to do it , ensuring that they process personal data in accordance with the provisions of the GDPR.
Pestana Group communicates the data to other recipients, in detail:
|Recipientes Categories||Processing of Personal Data Purposes|
|Companies that explore commercial establishments inside Pestana Group Hotels||Supplementary services provided to guests|
|Travel agencies and tour operators||Reservation of stays and provision of hotel services|
|Advisers or Lawyers||Provision of consultancy services and legal services|
|Different companies of additional services requested by guests||Taxi service / Transfers to the airport, Car parking services, car rental, garden maintenance restaurants reservations and other activities requested by guests|
1.3. DATA COLLECTION CHANNELS
Pestana can collect data directly (ie, directly from the user) or indirectly (ie, through partner organizations or others). The collection can be done through the following channels:
- Direct collection: in person, by phone, by e- mail and through the Site;
- Indirect collection: through partners or group companies and official entities.
2. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF USER DATA
In terms of general principles concerning the processing of personal data, Pestana undertakes to ensure that the User Data processed by you are:
✓ Object of a lawful, fair and transparent processing with respect to the User;
✓ Collected for specified, explicit and legitimate purposes and not subsequently treated in a manner incompatible with those purposes;
✓ Appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
✓ Accurate and up-to-date where necessary, all appropriate measures being taken to ensure that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay;
✓ Preserved in a form that allows the identification of the User only for the period necessary for the purposes for which the data are processed;
✓ Treaties in a manner that ensures their safety, including protection against their unauthorized or unlawful processing and against their accidental loss, destruction or damage, and appropriate technical or organizational measures are taken.
Data processing performed by Pestana is legal when at least one of the following situations occurs:
→ The User have given your explicit consent to the processing of User Data for one or more specific purposes;
→ The processing is necessary for the execution of a contract in which the User is a party, or for pre-contractual procedures at the request of the User;
→ The processing is necessary for the fulfillment of a legal obligation to which Pestana is subject;
→ The processing is necessary for the defense of vital interests of the User or another natural person;
→ The processing is necessary for the legitimate interests pursued by Pestana or by third parties (except if the interests or fundamental rights and freedoms of the User that require the protection of the personal data prevail).
Pestana is committed to ensure that the processing of User Data is only made in the above listed conditions and with respect for the principles mentioned above.
When the processing of the User Data is performed by Pestana based on the consent of the User, the User has the right to withdraw his consent at any time. The withdrawal of consent, however, does not compromise the lawfulness of the processing made by Pestana based on the consent previously given by the User.
The length of time during which the data is filed and stored varies according to the purpose for which the information is being processed, being stored only for the necessary time for the fulfilment of the purposes for which they are processed, taking into account the Data Retention Policy approved by Pestana Group.
Effectively, there are legal requirements that require you to retain the data for a minimum period of time. Thus, and where there is no specific legal requirement, the data will be stored and kept only for the minimum period necessary for the purposes that led to their collection or subsequent processing, after which they will be eliminated.
3. USING AND USER DATA PROCESSING PURPOSES
In general terms, Pestana uses the User Data for the following purposes:
• Management of contacts with the User;
• Inform the User, who has requested it, new products and services available on the Site and / or in the residences, offers and special campaigns, updated information on the activity of Pestana, generally for the purpose of marketing of Pestana and its hotels, by any means of communication including electronic format;
• Ensure that the Site meets User’s needs by developing and publishing content that is best adapted to the requests and type of User, improving the search capabilities and functionalities of the Site and obtaining aggregate or statistical information regarding to the user’s profile (analysis of consumption profiles);
• Provision of Services, and other services, such as newsletters, opinion surveys, or other information or products requested or purchased by you;
• Pestana can combine Usability information with anonymous demographic information for research purposes, and we can use the result of this combination to provide relevant content on the Site. In certain restricted areas of the Site, Pestana can combine Personal Data with Usability information to provide the User a more personalized content.
The User Data collected by Pestana will not be shared with third parties without the consent of the User, except for the situations referred to in the following paragraph. However, in the event that the User engages through Pestana services that are provided by other data controllers, User Data may be consulted or accessed by such entities, to the extent that it is necessary to provide such services.
4. IMPLEMENTED TECHNICAL, ORGANIZATIONAL AND SECURITY MEASURES
In order to ensure the security of User Data and maximum confidentiality, we treat the information you have provided in an absolute confidential manner, in accordance with our internal security and confidentiality policies and procedures, which are updated periodically as required, as well as accordance with the terms and conditions legally set forth.
Depending on the nature, scope, context and purpose of the data processing, as well as the risks arising from the processing of the rights and freedoms of the User, Pestana undertakes to apply, both when defining the means of processing and at the time of the processing itself,
the technical and organizational measures necessary and adequate for the protection of User Data and for compliance with legal requirements.
Pestana also undertakes to ensure that, by default, only data that are necessary for each specific purpose are processed and that such data are not made available without human intervention to an indeterminate number of persons.
In terms of general measures, Pestana adopts the following:
→ Regular audits to assess the effectiveness of the technical and organizational measures implemented;
→ Sensitization and training of personnel involved in data processing operations;
→ Pseudonymization and encryption of personal data;
→ Mechanisms capable of ensuring the permanent confidentiality, availability and resilience of information systems;
→ Mechanisms to ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident.
5. TRANSFER OF DATA OUT OF THE EUROPEAN UNION
The personal data are collected and used by Pestana are not made available to third parties established outside the European Union. If, in the future, this transfer happen for the reasons mentioned above, Pestana is committed to ensure that the transfer complies with the applicable legal provisions, in particular in determining the suitability of that country with regard to data protection and the requirements to such transfers.
When you visit our Site, a small text file (Cookie) is created and recorded on your computer disc, so when you visit the Site via a browser you are accepting the creation of this text file in your device. This file will provide you with a greater speed and an easier access to the Site, as well as its customization in accordance with your preferences.
By using our Website, you agree to collect and store small text files named cookies, which contain information and that are sent to your computer or to other Users Devices through a server. These text files enable a more efficient and customized experience of browsing. Whenever you visit our Website, your internet browser sends these cookies back to the Website, allowing the recognition and memorization of the you identity, as well as your usage preferences.
I. What are Cookies?
Cookies are small software files, which are stored on your device through the browser, and that hold a certain amount of data, namely, regarding the state of the navigation, and the activity during you are browsing. These cookies data can then be retrieved and can allow us to customise our web pages and services accordingly, through the information previously introduced on the Website.
II. What cookies do we use?
Necessary Cookies to:
(i) Allow the navigation on the website;
(ii) Use website’s features, such as accessing secure areas and exclusive contents for registered Users.
Functionality Cookies to:
(i) Record information about our Users options;
(ii) Allow the customization of our Website accordingly with your needs, namely, to memorise the language.
Performance Cookies to:
(i) Monitor how is your access to our Website and the regularity of this access.
Session cookies to:
(i) The reservation process, since this type of cookies are safer and can not be manipulated by third parties.
(ii) We also use direct or indirect analytical services to assess the effectiveness of our content and the Users’ preferences, which help us with the optimization of the functioning of this Website.
We also use web beacons or tracking pixels to count the number of visitors to our Website, anonymously and without identifying any particular User. However, for registered Users who are connected to the Website we will combine this information with the data collected through cookies to analyze how Users navigate in this Website in more detail.
III. How to control cookies:
All recent versions of popular browsers give Users a level of control over cookies. Users can set their browsers to accept or reject all, or certain, cookies. Users can also set their browser to prompt them each time a cookie is offered.
Please note that, when you delete or block cookies, some functionalities of the website may be affected.
If you want to know more about how Cookies work, you can check the AboutCookies.org or Cookiecentral.com Websites.
IV. Cookies Security:
Since Cookies can be intercepted or changed, we take the following security measures:
(i) Sensitive information – such as passwords or personal data such as the guest’s address or telephone number – is not stored;
(ii) Non-secure requests (HTTP) are not sent where cookies are sent to the browser in plain text and can be intercepted.
7. TOOLS USED FOR ANALYTICS AND USER BEHAVIOUR
In this Site is used Google Analytics, a web analysis service provided by Google Inc., (hereinafter “Google”).
The cookies are being recorded in order to provide information on the Site’s use. This data, including the user’s IP address, is transmitted to Google servers, but the data collected by Google Analytics is not related to any other data held by Google.
You may also deactivate the tool by downloading and installing a browser add-on available from Google: https://tools.google.com/dlpage/gaoptout?hl=en.
Facebook and Instagram:
In the Site there is an interactivity with Facebook and Instagram through a connection with these social networks’ servers is established. This allows the social networks to identify the Site that the User is visiting, and potentially store other data such as the IP address.
If the user is also connected in these social networks, may also be associated the data with the User’s account. If the user wants to prevent this, should done log out from Facebook and/ or Instagram before visiting the webpage.
You can find more information about how Facebook and Instagram process data on their Sites: https://www.facebook.com/about/privacy/ and https://help.instagram.com/519522125107875
B. USER RIGHTS (DATA SUBJECT)
8. RIGHT TO INFORMATION
8.1. Information provided to the User by Pestana (when data are collected directly from the User):
• The identity and contacts of Pestana responsible for the processing and, if applicable, of its representative;
• The contacts of the Data Protection Officer;
• The purposes for which the personal data are processed and, where applicable, the legal basis for processing;
• If the processing of the data is based on the legitimate interests of Pestana or a third party, indicating such interests;
• If applicable, recipients or categories of recipients of personal data;
• If applicable, indication that personal data will be transferred to a third country or an international organization, and whether or not a decision on adequacy has been adopted by the Commission or reference to appropriate or appropriate transfer guarantees;
• Deadline for the preservation of personal data;
• The right to request Pestana access to personal data and their rectification, erasure or limitation, the right to object to the processing and the right to data portability;
• If the processing of the data is based on the consent of the User, the right to withdraw consent at any time, without compromising the lawfulness of the processing made on the basis of the consent previously given;
• The right to file a complaint with the CNPD or other supervisory authority;
• Indication whether or not the communication of personal data constitutes a legal or contractual obligation or a requirement to conclude a contract and whether the holder is required to provide the personal data and the possible consequences of not providing such data;
• If applicable, the existence of automated decisions, including the definition of profiles, and information concerning the underlying logic, as well as the importance and expected consequences of such processing for the data subject.
• No caso de os Dados do Utilizador não serem recolhidos diretamente pelo Pestana junto do Utilizador, além das informações referidas acima, o Utilizador é adicionalmente informado acerca das categorias de Dados Pessoais objeto de tratamento e, bem assim, acerca da origem dos dados e, eventualmente, se provêm de fontes acessíveis ao público.
Should the User Data is not collected directly by Pestana, in addition to the above mentioned information, the user is additionally informed of the categories of personal data that are processed and also the data source and, eventually, if it originates from public sources.
If Pestana intends to proceed with further processing of User Data for a purpose other than that for which the data were collected prior to such processing Pestana will provide the User with information on this purpose and any other pertinent information, in the terms referred to above.
8.2. Procedures and measures implemented to fulfill the right to information.
The information referred to in 8.1. is given in written form (including electronic means) by Pestana to the User prior to the processing of personal data in question. Under applicable law, Pestana has no obligation to provide to the user the information mentioned in 8.1 if and to the extent that the user is already aware of them. The information is provided by Pestana free of charge.
9. RIGHT OF ACCESS TO PERSONAL DATA
Pestana provides the means to access, the user, to your Personal Data.
The User has the right to obtain from Pestana a confirmation of which personal data concerning him are subject to processing and, if applicable, the right of access to your personal data and the following information:
✓ The purposes of data processing;
✓ The categories of personal data in question;
✓ The addressees or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients established in third countries or belonging to international organizations;
✓ The term of retention of personal data;
✓ Right to request from Pestana the rectification, deletion or limitation of the processing of personal data, or the right to object to such processing;
✓ Right to file a complaint with the CNPD or other supervisory authority;
✓ If the data has not been collected from the User, the available information on the origin of such data;
✓ The existence of automated decisions, including the definition of profiles, and information on the underlying logic, as well as the importance and expected consequences of such processing for the data subject;
✓ Right to be informed about the appropriate safeguards associated with the transfer of data to third countries or international organizations.
Upon request, Pestana will provide the User, free of charge, with a copy of the User Data that is being processed. The provision of other copies requested by the User may entail administrative costs.
10. RIGHT TO RETIFICATION OF PERSONAL DATA
The User has the right to request, at any time, the rectification of his Personal Data and also the right to have incomplete personal data completed, including by means of an additional declaration.
In case of rectification of the data, Pestana communicate to each recipient to whom the data have been transmitted to respective rectification, unless such communication proves impossible or involves a disproportionate effort for Pestana.
11. RIGHT TO ERASURE OF PERSONAL DATA (“RIGHT TO BE FORGOTTEN”)
The User has the right to obtain, by Pestana, erase your data when one of the following reasons applies:
✓ User Data is no longer required for the purpose for which it was collected or processed;
✓ The User withdraws the consent on which the data processing is based and there is no other legal basis for such processing;
✓ The User opposes the processing under the right of opposition and there are no prevailing legitimate interests justifying the processing;
✓ In case the User Data is unlawfully processed;
✓ If User Data is to be deleted in order to comply with a legal obligation to which Pestana is subject.
Pursuant to applicable law, Pestana has no obligation to delete the User Data to the extent that the processing proves necessary to fulfill a legal obligation to which the Pestana is subject or for the purpose of establishment, exercise or defense of a right of Pestana in legal proceedings.
In case of deletion of data, Pestana communicate to each recipient / entity to whom the data have been transmitted the respective deletion, unless such communication proves impossible or involves a disproportionate effort for Pestana.
When Pestana has made the User Data public and is obliged to delete it under the erasure right, Pestana undertakes to ensure reasonable measures, including technical ones, taking into account available technology and the costs of its application, in order to inform those responsible for the effective processing of personal data that the User has requested to erase the connections for such personal data, as well as copies or reproductions thereof.
12. RIGHT TO THE RESTRICTION OF THE PROCESSING OF PERSONAL DATA
The User has the right to obtain, on Pestana, the restriction of the processing of User Data if one of the following situations applies (the restriction is to insert a mark in the personal data preserved with the purpose of limiting its processing in the future):
✓ If you dispute the accuracy of the personal data, over a period to enable Pestana to verify its accuracy;
✓ If the processing is unlawful and the User opposes the erasure of the data, requesting, on the other hand, the limitation of its use;
✓ If Pestana no longer require User Data for processing purposes, but such data is required by the User for the purposes of declaration, exercise or defense of a right in a legal proceeding;
✓ If the user has opposed the processing until it is found that the legitimate reasons of Pestana prevail over those of the User.
When User Data is subject to restriction, they may only, except preservation, be processed with the consent of the User or for the purpose of declaring, exercising or defending a right in a judicial process, defending the rights of another natural or legal person or for reasons of public interest legally envisaged.
The User who has obtained a restriction to the processing of their data in the above cases will be informed by Pestana before the processing restriction is overridden.
In the event of data processing being limited, Pestana communicate to each recipient to whom the data have been transmitted to respective limitations, unless such communication proves impossible or involves a disproportionate effort for Pestana.
13. RIGHT OF PORTABILITY OF PERSONAL DATA
The User has the right to receive the personal data concerning him and which he has provided to Pestana in a structured, in-use, automatic reading format and the right to transmit such data to another controller, if:
✓ The processing is based on the consent or a contract to which the User is a party; and
✓ The processing is performed by automated means.
The right of portability does not include inferred data or data derived, ie, personal data that is generated by Pestana as a consequence or result of the analysis of the data being processed.
The User has the right to have personal data transmitted directly between those responsible for the processing, whenever this is technically possible.
14. RIGHT TO OBJECT THE PROCESSING
The User has the right to object at any time, on grounds relating to his particular situation, to the processing of personal data concerning him that based on the exercise of legitimate interests pursued by Pestana or when the processing is performed for purposes other than those for which personal data were collected, including the definition of profiles, or when personal data are processed for statistical purposes.
Pestana cease the processing of User Data unless it presents compelling legitimate grounds for such processing to prevail over the interests, rights and user freedoms, or for the purpose of establishment, exercise or defense of a right of Pestana in judicial proceedings.
When User Data is processed for the purpose of direct marketing, the User has the right to oppose at any time the processing of the data that concern him for the purposes of said commercialization, which includes the definition of profiles in the insofar as it relates to direct marketing. If you object to the processing of your data for the purposes of direct marketing, Pestana ceases processing of the data for this purpose.
Users also have the right not to be subject to any decision made solely on the basis of automated processing, including profiling, that has legal effects or significantly affects it in a similar way, unless the decision:
• It is necessary for the execution or execution of a contract between the User and Pestana;
• Is authorized by legislation to which Pestana is subject; or
• It is based on the explicit consent of the User.
15. PROCEDURES TO THE EXERCISE OF THE RIGHTS BY THE USER
The right of access, the right of rectification, the right of erasure, the right to restriction, the right of portability and the right to objection may be exercised by the User through the access of the platform available in the following link: pestanahotelgroup.atlassian.net/servicedesk/customer/portal/5 .
For further information regarding data protection subject please contact with the Data Protection Officer of the Pestana Group, through email email@example.com and/or through registered post to para Rua Jau, no. 54, 1300 – 314 Lisboa.
Pestana will respond in writing (including by electronic means) to the request of the User within a maximum of one month from the receipt of the request, except in cases of special complexity, where this period may be extended by up to two months.
If the requests made by the User are manifestly unfounded or excessive, in particular because of their repetitive nature, Pestana reserves the right to charge administrative costs or refuse to comply with the request.
16. VIOLATIONS OF PERSONAL DATA
In the event of a breach of data and to the extent that such breach is likely to pose a high risk to the rights and freedoms of the User, Pestana undertakes to communicate the violation of personal data to the User in question within 72 hours of the knowledge of the incident.
In legal terms, communication to the User is not required in the following cases:
• If Pestana has implemented appropriate technical and organizational protection measures and these measures have been applied to personal data affected by the breach of personal data, in particular measures that make personal data incomprehensible to anyone not authorized to access such data, such as encryption;
• If Pestana has taken subsequent action to ensure that the high risk to the rights and freedoms of the User is no longer likely to materialize; or
• If communication to the User implies a disproportionate effort for Pestana. In this case, Pestana will make a public communication or take a similar action through which the User will be informed.
C. FINAL PART
If the change is substantial, a notice will be placed on the Site.
18. RIGHT TO COMPLAIN BEFORE THE SUPERVISORY AUTHORITY
Please note that you have also the right to lodge a complaint with the competent supervisory authority — National Data Protection Committee, with its head office at Av. D. Carlos I, 134 – 1.º 1200-651 Lisbon, with the following phone number (+351) 213928400 and the following e-mail: firstname.lastname@example.org.
19. APPLICABLE LAW AND FORUM