Entidade
Responsável pelo Tratamento dos Dados
Summer C Colours - Agrupamento
Turístico e Imobiliário - A.C.E.
Rua Joaquim António de Aguiar
nº 66, 6º, 1070 153, Lisboa
Email: dpo@discoveryportugal.com
A.
GENERAL
PROVISIONS
A.1.
COLLECTION AND PROCESSING OF PERSONAL DATA
Within the scope of the website hosted in www.octanthotels.com (“Site”) and the services and
communications made available therein, SUMMER C COLORS - AGRUPAMENTO
TURÍSTICO E IMOBILIÁRIO - ACE, headquartered at Rua Joaquim António de Aguiar
nº 66, 1070 153, Lisbon, Portugal, under the single registration number and
corporate person 510945961, holder of the national trademark no. 529580 DHM DISCOVERY HOTEL MANAGEMENT and national trademark no.
675712 OCTANT (hereinafter referred to as " Data Controller ") may request and process certain
personal data from the users.
Personal
Data should be understood as means any information relating to an identified or
identifiable natural person (“Data Subject” or “User”); an identifiable natural
person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person
A.2.
PERSONAL
DATA COLLECTED
Through
this Privacy Policy, the Data Controller aims to provide detailed information
to the User regarding the nature and data collected, the purposes, and the
processing operations regarding the personal data.
The
Personal Data collected and processed may include information regarding name,
gender, date of birth, telephone, mobile phone, email, address, tax
identification number, and credit card data (collected for billing purposes
only), although we may have to collect other Personal Data that is eventually necessary
or appropriate for the provision or charging of services by the Data Controller.
As
a rule, Personal Data is required when the User registers on the Site, requests
a contact and/or subscribes a newsletter, requests a certain service, provides
or requests information, acquires a product or establishes a contractual
relationship with DHM. We may also collect data concerning your health whenever
you use our health club or Spa, case where we will ask for you explicit
consent.
The
Data Controller also collects and processes information about the
characteristics of the user’s hardware device and browser/software features, as
well as information about the pages visited by the User within the Site. This
information may include browser type, domain name, access times and links by
which the User has accessed the Site
The
Data Controller may collect your personal data through cookies and other
tracking technologies. The use of cookies by the Data Controller is regulated
in our Cookie
Policy.
A.3. DATA PROCESSORS AND DATA SHARING WITH THIRD
PARTIES
As part of its data processing activities the Data Controller may engage
with third parties, subcontracted by the former, to process Personal Data on
its behalf, in accordance with its instructions, and in compliance with the General
Data Protection Regulation (hereinafter, “GDPR”), the GDPR Execution Law (Law
no. 58/2019, of 8 of august) and this Privacy Policy.
These
processors may not disclose the Personal Data to other entities without the
Data Controller having given prior written authorization to do so. Additionally,
they are also prevented from contracting other processors without the
Controller’s prior authorization.
The
Data Controller will only enter into agreements with processors that have
implemented the appropriate technical and organizational measures, in order to
guarantee the defense of the User’s rights. The Data Controller shall bind all
the processors contracted by a written agreement that covers the object and
duration of the processing, the nature and purpose of the processing, the type
of personal data, the categories of data subjects and the rights and
obligations of the parties.
At
the moment of collection of personal data, the Data Controller provides the User
with information on the categories of processors that, in this case, may
process data on its behalf.
The
Controller may also transfer your data to third parties when it believes that
such a transfer is necessary and adequate: (i) to achieve a lawful purpose
under the applicable law; (ii) to comply with its legal obligations/orders from
administrative, law enforcement or other judicial entities; or (iii) to provide
information or comply with orders from public or governmental entities. The situations
above may include sharing data with companies within the Data Controller’s
corporate group, when doing so is lawful.
A.4. DATA COLLECTION CHANNELS
The
Data Controller may collect data directly (i.e., directly from the User) or
indirectly (i.e. commercial partners or third parties). Such collection may operate
through the following channels:
Direct
collection: in person, by telephone, via e-mail and through the Site;
Indirect
collection: through affiliates and official entities.
B. GENERAL PRINCIPLES APPLICABLE TO THE
PROCESSING OF USER DATA
In
terms of general principles regarding the processing of personal data, the Data
Controller undertakes to ensure that the User’s Personal Data processed is:
- Processed in accordance with the law,
as well as being fair and transparent in relation to the User;
- Collected for specific purposes that
are objective and legitimate, not being processed subsequently in any way that
runs contrary to these purposes;
- Appropriate, justified and limited to
what is necessary in relation to the purposes for which the data is processed;
- Accurate and updated whenever
necessary, ensuring that inaccurate data, taking into account the purposes for
which they are processed, is erased or corrected without delay;
- Only retained for as long as
necessary to fulfil the purposes we collected it for, including for the
purposes of satisfying any legal, accounting, or reporting requirements;
- Handled in a manner that ensures security,
including protection against their unauthorized or illegal processing and
against their loss, destruction or unforeseen damage, with appropriate
technical or organizational measures being taken on this matter.
Data processing carried out by the Data Controller is permitted and legal when at
least one of the legal bases under Article 6 of the GDPR (jointly, when
applicable with one of the exceptions of article 9 and article 10 of the GDPR).
The Data Controller undertakes to ensure that the processing of User
Data takes place under the conditions and respecting the principles above
mentioned.
The time on which the data is filed and stored varies according to the
purpose for which the information is being processed.
However, there are legal requirements that require the data to be
preserved for a minimum period. In particular, data that is required for
billing or that should be considered as commercial documentation and letters
should be stored for 10 years. Information necessary to allow you to access to
restricted area of the Site shall be stored until you request deletion of your
account. In addition, data used for direct marketing shall be kept until you
request that we stop sending you direct marketing messages. Where there is no
specific legal obligation, data will be stored and kept only for the minimum
period necessary for the purposes that led to their collection or subsequent
processing, being eliminated when that processing ends.
B.1. USE AND PURPOSES OF USER DATA
PROCESSING
The
Data Controller processes Personal Data for the following purposes:
- Provision of hotel services and
associated services (restaurants, bars, spa, etc.);
- Contact management;
- Invoicing and billing;
- Registration on the Site;
- Providing information to the User upon
requests, about new products and services that have been made available on the Site
or at the hotel, special offers and campaigns, updated information on the Data
Controllers’s business operations and, generally, for the purpose of marketing,
using any means of communication;
- Allowing access to restricted areas
of the Site;
- Ensuring that the Site meets the
User’s needs by developing and publishing content that is best adapted to the
requests made and the type of User, improving the search capabilities and
functionalities of the Site and obtaining associated or statistical information
regarding to the user’s profile (analysis of consumption profiles);
- Providing other services such as
newsletter, opinion studies, or other information or products requested or
bought by the User;
- Recording of telephone calls that may
be made in connection with the request or provision of information about
reservations, vouchers and other products or services and their commercial
conditions of use and the establishment of any contractual relationship,
either during the formation phase of the contract or while it is in force;
- The Data Controller may also combine
user information with anonymous demographic information for research purposes
and may use the result of that research to provide you with relevant content on
the website. In certain restricted areas of the Site, the Controller may also
combine Personal Data with usability information to provide the User with more
personalized content.
B.2. IMPLEMENTED TECHNICAL, ORGANIZATIONAL
AND SECURITY MEASURES
In
order to guarantee the security and maximum confidentiality of the Personal
Data, the Controller treats the information you provided to us in an absolutely
confidential manner, in accordance with its internal security and
confidentiality policies and procedures, which are updated periodically as
required, as well as the terms and conditions legally set out.
Depending
on the nature, scope, context and purpose of data processing, as well as the risks
arising from the processing to the rights and freedoms of the User, the
Controller undertakes to apply, both when defining the method and timing of
handling the data, the necessary and appropriate technical and organizational
measures for the protection of personal data in compliance with legal
requirements.
The
Controller also undertakes to ensure that, as a principle, only data that are
necessary for each specific purpose are processed and that such data are not
disclosed without human intervention to an indeterminate number of people.
Nevertheless,
in terms of general measures, the Controller adopts the following:
- Regular audits to identify the
effectiveness of the implemented technical and organizational measures;
- Sensitization and training of
personnel involved in data processing operations;
- Pseudonymisation and coding of
personal data;
- Mechanisms capable of ensuring the
permanent confidentiality, availability and resilience of information systems;
- Mechanisms to ensure the restoration
of information systems and access to personal data in a timely manner in the
event of a physical or technical incident.
B.3. DATA TRANSFERS TO THIRD COUNTRIES
The data
processing operations associated with the interaction of the Data Subject with
the Site shall not entail the transfer of data, or the processing thereof,
outside the European Economic Area.
However,
should it become necessary to transfer your data outside the European Economic
Area, for example, in the context of using certain providers of computer
systems support services, the Data Controller will implement the necessary
measures to ensure that these transfers comply with the law, in particular with
Chapter V of the GDPR, and that an essentially equivalent level of protection
is guaranteed to the Data Subjects' personal data. This may be achieved, for
example, by ensuring the existence of a European Commission Adequacy Decision
relating to the country of destination or by concluding Standard Contractual
Clauses and, if necessary, implementing additional measures.
C.
USER
RIGHTS (DATA SUBJECTS)
Under the GDPR, the Data Subject is entitled to exercise
the following rights:
|
Right of access
|
The Data Subject has the right obtain confirmation as to whether
his/her personal data are being processed and, where that is the case,
access. A copy of the data being processed will be made available to the Data
Subject on request, as long as no legal restrictions are applicable.
|
|
Right to
rectification
|
The User may request for inaccurate or incomplete personal data
concerning him/her to be rectified or completed.
|
|
Right to erasure
|
Where one of the legal grounds for doing it so under the GDPR applies,
the User may also, at any time, request the deletion of personal data
concerning him/her. The Data Controller may refuse to grant such request in
certain situations, in particular when the data is still necessary for the
purpose for which it was collected or when the processing is required for
compliance with a legal obligation.
|
|
Right to restriction of processing
|
The Data Subject may obtain the restriction of processing when: a) the
accuracy of the personal data is contested and its being verified; b) the processing
is unlawful and the data subject requests limitation as an alternative to
erasure; c) the Data Controller no longer needs the data for its original
purpose and the data is requested by the data subject for the purposes of
declaring, exercising or defending a right in legal proceedings and; d) when
the Data Subject has objected to the processing, until it is ascertained
whether the legitimate interests of the controller override those of the data
subject.
|
|
Right to data
portability
|
When the legal basis for data processing is consent or the performance
of the contract, and there is processing by automated means, the Data Subject
shall have the right to request the portability of their data. This right may
not, however, adversely affect the rights and freedoms of third parties.
|
|
Right to object
|
When data is processed on the basis of legitimate or public interest,
or for the purposes of direct marketing, the data subject shall have the
right to object to the processing.
|
|
Right to withdraw
consent
|
When consent is the lawful basis for data processing, the User has a
right to withdraw consent at any time. This does not, however, not affect the
lawfulness of processing based on consent before its withdrawal.
|
C.1. PROCEDURES FOR THE EXERCISING OF RIGHTS BY THE
USER
The
User can exercise the right to access, rectification or erasure of personal
data or restriction of processing concerning your data and to object to
processing as well as the right to data portability by contacting our DPO
through the e-mail dpo@discoveryportugal.com.
The
Controller will respond in writing (including by electronic means) to the
User’s without undue delay and in any event within one month of receipt of the
request. That period may be extended by two further months where necessary,
namely particularly complex cases.
If
the requests submitted by the User are manifestly unjustified or excessive,
especially due to their repetitive nature, DHM reserves the right to charge
administrative costs or refuse to comply with the request.
C.2. PERSONAL DATA BREACH
In
the case of a personal data breach and insofar as such breach is likely to result
in a high risk to the rights and freedoms of the User, the Data Controller
undertakes to report the personal data breach to the Supervisory Authority
within 72 hours from the knowledge of the incident.
In
addition, the Data Controller may communicate the data breach to the User if
such communication is required by law or if the Data Controller considers doing
so to be relevant:
- If the Data Controller has
implemented appropriate technical and organizational protection measures, and
those measures were applied to the personal data affected by the personal data
breach, in particular those that render the personal data unintelligible to any
person who is not authorized to access it, such as encryption.
- If the Data Controller has taken
subsequent measures which ensure that the high risk to the rights and freedoms
of data subjects referred to in paragraph 1 is no longer likely to materialize;
or
- If communication to the User would
involve a disproportionate effort on behalf of the Data Controller. In this
case, the Data Controller will release a public communication or take a similar
action by which the User will be informed.
D.
CONFIDENTIALITY OF EMAILS
The emails sent by the Controller and all its attachments
are CONFIDENTIAL, being destined exclusively to the individual or entity
indicated therein as recipients. If you read any email message and you are not
the intended recipient, you are hereby notified that any use, distribution, redirection
or other form of disclosure to another, print or copy of the message is
expressly prohibited under applicable laws. If you have received an email
message in error, we request that you immediately notify us by email at dpo@discoveryportugal.com and immediate delete it. The Controller declines all
responsibility for the content of the e-mail messages that are altered or
falsified.
E.
FINAL
PART
E.1. QUESTIONS
If
you have any questions or concerns regarding the way the Data Controller
handles your personal data, please contact your Data Protection Officer at
dpo@discoveryportugal.com.
E.2. APPLICABLE LAW AND LEGAL JURISDICTION
The
Privacy Policy as well as the collection, processing or transmission of Personal
Data are all governed by the provisions of GDPR, and by the laws and
regulations applicable in Portugal, in particular the GDPR Execution Law.
Any
litigation arising from the validity, interpretation or implementation of the
Privacy Policy, or related to the collection, processing or transmission of
User Data, must be submitted exclusively to the jurisdiction of the courts of
Lisbon, without prejudice to mandatory legal rules.
E.3. AMENDMENTS TO THE PRIVACY POLICY
The
Data Controller reserves the right to make changes to this Privacy Policy at
any time. In the case of modification to the Privacy Policy, the date of the
most recent change shall also be updated. If the change is substantial, a
notice will be placed on the Site.
Last amended: 09th May
2022
